def test_generate_permission_queries_with_requires_owner(
self, mocker, mock_connector):
spec_file_data = (SnowflakeSchemaBuilder().set_version(
"1.0").require_owner().build())
print("Spec file is: ")
print(spec_file_data)
mocker.patch("builtins.open",
mocker.mock_open(read_data=spec_file_data))
loader = SnowflakeSpecLoader("", mock_connector)
queries = loader.generate_permission_queries()
assert [] == queries
def test_check_entities_on_snowflake_server_no_schemas(
self, test_dir, mocker, mock_connector):
mocker.patch.object(mock_connector, "show_schemas")
SnowflakeSpecLoader(
os.path.join(test_dir, "specs", "snowflake_spec_blank.yml"),
mock_connector)
mock_connector.show_schemas.assert_not_called()
def test_role_filter(self, mocker, test_roles_mock_connector,
test_roles_spec_file):
"""Make sure that the grant queries list can be filtered by role."""
print(f"Spec File Data is:\n{test_roles_spec_file}")
mocker.patch("builtins.open",
mocker.mock_open(read_data=test_roles_spec_file))
spec_loader = SnowflakeSpecLoader(spec_path="",
conn=test_roles_mock_connector)
assert spec_loader.generate_permission_queries(role="primary") == [{
"already_granted":
False,
"sql":
"GRANT ROLE testrole TO role primary"
}]
def test_load_spec_loads_file(self, mocker, mock_connector):
mock_open = mocker.patch(
"builtins.open", mocker.mock_open(read_data="""version: "1.0" """))
filepath = "filepath to open"
SnowflakeSpecLoader(filepath, mock_connector)
mock_open.assert_called_once_with(filepath, "r")
def test_check_permissions_on_snowflake_server_gets_current_user_info(
self, test_dir, mocker, mock_connector):
mocker.patch.object(mock_connector, "get_current_user")
SnowflakeSpecLoader(
os.path.join(test_dir, "specs", "snowflake_spec_blank.yml"),
mock_connector)
mock_connector.get_current_user.assert_called()
def test_load_spec_with_owner(self, spec_file_data, method, return_value,
mocker, mock_connector):
print("Spec file is: ")
print(spec_file_data)
mocker.patch("builtins.open",
mocker.mock_open(read_data=spec_file_data))
mocker.patch.object(mock_connector, method, return_value=return_value)
SnowflakeSpecLoader("", mock_connector)
def test_check_entities_on_snowflake_server_checks_role_owner(
self, spec_file_data, method, return_value, mocker,
mock_connector):
print("Spec file is: ")
print(spec_file_data)
mocker.patch("builtins.open",
mocker.mock_open(read_data=spec_file_data))
mocker.patch.object(mock_connector, method, return_value=return_value)
SnowflakeSpecLoader("", mock_connector)
def test_check_permissions_on_snowflake_server_as_securityadmin(
self, test_dir, mocker, mock_connector):
mocker.patch.object(MockSnowflakeConnector,
"get_current_role",
return_value="securityadmin")
SnowflakeSpecLoader(
os.path.join(test_dir, "specs", "snowflake_spec_blank.yml"),
mock_connector)
mock_connector.get_current_role.assert_called()
def grant(spec, dry, diff):
"""Grant the permissions provided in the provided specification file."""
try:
spec_loader = SnowflakeSpecLoader(spec)
sql_grant_queries = spec_loader.generate_permission_queries()
click.secho()
if diff:
click.secho(
"SQL Commands generated for given spec file (Full diff with both new and already granted commands):"
)
else:
click.secho("SQL Commands generated for given spec file:")
click.secho()
conn = SnowflakeConnector()
for query in sql_grant_queries:
if not dry:
status = None
if not query.get("already_granted"):
try:
result = conn.run_query(query.get("sql"))
outcome = result.fetchall()
status = True
except:
status = False
ran_query = query
ran_query["run_status"] = status
print_command(ran_query, diff)
# If already granted, print command
else:
print_command(query, diff)
# If dry, print commands
else:
print_command(query, diff)
except SpecLoadingError as exc:
for line in str(exc).splitlines():
click.secho(line, fg="red")
sys.exit(1)
def test_check_permissions_on_snowflake_server_not_as_securityadmin(
self, test_dir, mocker, mock_connector):
mocker.patch.object(MockSnowflakeConnector,
"get_current_role",
return_value="notsecurityadmin")
with pytest.raises(SpecLoadingError) as context:
SnowflakeSpecLoader(
os.path.join(test_dir, "specs", "snowflake_spec_blank.yml"),
mock_connector,
)
mock_connector.get_current_role.assert_called()
def test_load_spec_owner_required_with_no_owner(self, spec_file_data,
method, return_value,
mocker, mock_connector):
print("Spec file is: ")
print(spec_file_data)
mocker.patch("builtins.open",
mocker.mock_open(read_data=spec_file_data))
mocker.patch.object(mock_connector, method, return_value=return_value)
with pytest.raises(SpecLoadingError) as context:
SnowflakeSpecLoader("", mock_connector)
assert "Spec Error: Owner not defined" in str(context.value)
def test_no_role_filter(self, mocker, test_roles_mock_connector,
test_roles_spec_file):
"""Test that the generate_permissions_query does no filtering on
receipt of a None value for the role to filter."""
print(f"Spec File Data is:\n{test_roles_spec_file}")
mocker.patch("builtins.open",
mocker.mock_open(read_data=test_roles_spec_file))
spec_loader = SnowflakeSpecLoader(spec_path="",
conn=test_roles_mock_connector)
expected_sql_queries = [
{
"already_granted": False,
"sql": "GRANT ROLE testrole TO role testrole"
},
{
"already_granted": False,
"sql": "GRANT ROLE testrole TO role securityadmin",
},
{
"already_granted": False,
"sql": "GRANT ROLE testrole TO role primary"
},
{
"already_granted": False,
"sql": "GRANT ROLE testrole TO role secondary"
},
{
"already_granted": False,
"sql": "ALTER USER testusername SET DISABLED = FALSE",
},
{
"already_granted": False,
"sql": "ALTER USER testuser SET DISABLED = FALSE",
},
]
assert spec_loader.generate_permission_queries(
) == expected_sql_queries
def test_check_entities_on_snowflake_server_errors_if_role_owner_does_not_match(
self,
spec_file_data,
method,
return_value,
mocker,
mock_connector,
expected_error,
):
print("Spec file is: ")
print(spec_file_data)
mocker.patch("builtins.open",
mocker.mock_open(read_data=spec_file_data))
mocker.patch.object(mock_connector, method, return_value=return_value)
with pytest.raises(SpecLoadingError) as context:
SnowflakeSpecLoader("", mock_connector)
assert expected_error in str(context.value)