def test_diff(mocker): from ldap2pg.privilege import Privilege, Grant, Acl priv = Privilege(name='priv', revoke='REVOKE {role}', grant='GRANT {role}') nogrant = Privilege(name='nogrant', revoke='REVOKE') norvk = Privilege(name='norvk', grant='GRANT') privileges = {p.name: p for p in [priv, nogrant, norvk]} item0 = Grant(privilege=priv.name, dbname='backend', role='daniel') pgacl = Acl([ item0, Grant(privilege=priv.name, dbname='backend', role='alice'), Grant(priv.name, dbname='backend', role='irrelevant', full=None), Grant(privilege=norvk.name, role='torevoke'), ]) ldapacl = Acl([ item0, Grant(privilege=priv.name, dbname='backend', role='david'), Grant(privilege=nogrant.name, role='togrant'), ]) queries = [q.args[0] for q in pgacl.diff(ldapacl, privileges)] assert not fnfilter(queries, 'REVOKE "daniel"*') assert fnfilter(queries, 'REVOKE "alice"*') assert fnfilter(queries, 'GRANT "david"*')
def test_expand_defacl(): from ldap2pg.privilege import DefAcl, Acl, Grant, UserError priv = DefAcl('select', grant='ALTER FOR GRANT SELECT') item0 = Grant('select', Grant.ALL_DATABASES, schema=Grant.ALL_SCHEMAS) item1 = Grant('select', ['postgres'], schema=['information_schema']) assert repr(item0.schema) set_ = Acl([item0, item1]) items = sorted( set_.expandgrants( aliases=dict(select=['select']), privileges={priv.name: priv}, databases=dict( postgres=dict(information_schema=['postgres'], ), template1=dict(information_schema=['postgres'], ), ), ), key=lambda x: x.dbname, ) assert 3 == len(items) assert 'postgres' == items[0].dbname assert 'template1' == items[2].dbname with pytest.raises(UserError): list( set_.expandgrants( aliases=dict(select=['select']), privileges={priv.name: priv}, databases=dict(), ))
def test_postprocess_acl_inexistant_privilege(): from ldap2pg.manager import SyncManager, UserError from ldap2pg.privilege import Acl, Grant manager = SyncManager() with pytest.raises(UserError): manager.postprocess_acl( acl=Acl([Grant('inexistant')]), schemas=dict(postgres=dict(public=['postgres'])), )
def test_expand_nok(): from ldap2pg.privilege import Acl, Grant set_ = Acl([Grant('inexistant')]) with pytest.raises(ValueError): list(set_.expandgrants( aliases=dict(), privileges=dict(), databases=dict(), )) set_ = Acl([Grant('inexistant_dep')]) with pytest.raises(ValueError): list(set_.expandgrants( aliases=dict(inexistant_dep=['inexistant']), privileges=dict(), databases=dict(), ))
def test_postprocess_grants(): from ldap2pg.manager import SyncManager from ldap2pg.privilege import DefAcl, Grant, Acl manager = SyncManager( privileges=dict(ro=DefAcl(name='ro')), privilege_aliases=dict(ro=['ro']), ) # No owners acl = manager.postprocess_acl(Acl(), schemas=dict()) assert 0 == len(acl) acl = Acl([Grant(privilege='ro', dbname=['db'], schema=None)]) acl = manager.postprocess_acl( acl, schemas=dict(db=dict( public=['postgres', 'owner'], ns=['owner'], )), ) # One grant per schema, per owner assert 3 == len(acl)
def test_grant_set(): from ldap2pg.privilege import Grant, Acl acl0 = Grant('ro', 'postgres', None, 'alice') acl1 = Grant.from_row('ro', 'postgres', None, 'bob') assert acl0 < acl1 duplicata = Grant('ro', 'postgres', None, 'alice') set_ = Acl([acl0, acl1, duplicata]) assert 2 == len(set_) assert 'postgres' in str(acl0) assert 'ro' in repr(acl0) assert acl0 != acl1 assert acl0 == duplicata
def test_postprocess_acl_bad_database(): from ldap2pg.manager import SyncManager, UserError from ldap2pg.privilege import NspAcl, Grant, Acl from ldap2pg.utils import make_group_map privileges = dict(ro=NspAcl(name='ro', inspect='SQL')) manager = SyncManager( privileges=privileges, privilege_aliases=make_group_map(privileges), ) acl = Acl([Grant('ro', ['inexistantdb'], None, 'alice')]) schemas = dict(postgres=dict(public=['postgres'])) with pytest.raises(UserError) as ei: manager.postprocess_acl(acl, schemas) assert 'inexistantdb' in str(ei.value)