def test_sync_user_assignments_locally_removed_assignments_are_removed_from_db(
self):
syncer = RBACDefinitionsDBSyncer()
self._insert_mock_roles()
# Initial state, no roles
role_dbs = get_roles_for_user(user_db=self.users['user_2'])
self.assertItemsEqual(role_dbs, [])
# Do the sync with two roles defined
api = UserRoleAssignmentFileFormatAPI(
username='******',
roles=['role_1', 'role_2'],
file_path='assignments/user2.yaml')
syncer.sync_users_role_assignments(role_assignment_apis=[api])
role_dbs = get_roles_for_user(user_db=self.users['user_2'])
self.assertEqual(len(role_dbs), 2)
self.assertEqual(role_dbs[0], self.roles['role_1'])
self.assertEqual(role_dbs[1], self.roles['role_2'])
# Do the sync with one role defined (one should be removed from the db)
api = UserRoleAssignmentFileFormatAPI(
username='******',
roles=['role_2'],
file_path='assignments/user2.yaml')
syncer.sync_users_role_assignments(role_assignment_apis=[api])
role_dbs = get_roles_for_user(user_db=self.users['user_2'])
self.assertEqual(len(role_dbs), 1)
self.assertEqual(role_dbs[0], self.roles['role_2'])
def test_sync_assignments_are_removed_user_doesnt_exist_in_db(self):
# Make sure that the assignments for the users which don't exist in the db are correctly
# removed
syncer = RBACDefinitionsDBSyncer()
self._insert_mock_roles()
username = '******'
# Initial state, no roles
user_db = UserDB(name=username)
self.assertEqual(len(User.query(name=username)), 0)
role_dbs = get_roles_for_user(user_db=user_db)
self.assertItemsEqual(role_dbs, [])
# Do the sync with two roles defined
api = UserRoleAssignmentFileFormatAPI(username=user_db.name,
roles=['role_1', 'role_2'])
syncer.sync_users_role_assignments(role_assignment_apis=[api])
role_dbs = get_roles_for_user(user_db=user_db)
self.assertEqual(len(role_dbs), 2)
self.assertEqual(role_dbs[0], self.roles['role_1'])
self.assertEqual(role_dbs[1], self.roles['role_2'])
# Sync with no roles on disk - existing roles should be removed
syncer.sync_users_role_assignments(role_assignment_apis=[])
role_dbs = get_roles_for_user(user_db=user_db)
self.assertEqual(len(role_dbs), 0)
username = '******'
# Initial state, no roles
user_db = UserDB(name=username)
self.assertEqual(len(User.query(name=username)), 0)
role_dbs = get_roles_for_user(user_db=user_db)
self.assertItemsEqual(role_dbs, [])
# Do the sync with three roles defined
api = UserRoleAssignmentFileFormatAPI(username=user_db.name,
roles=['role_1', 'role_2', 'role_3'])
syncer.sync_users_role_assignments(role_assignment_apis=[api])
role_dbs = get_roles_for_user(user_db=user_db)
self.assertEqual(len(role_dbs), 3)
self.assertEqual(role_dbs[0], self.roles['role_1'])
self.assertEqual(role_dbs[1], self.roles['role_2'])
self.assertEqual(role_dbs[2], self.roles['role_3'])
# Sync with one role on disk - two roles should be removed
api = UserRoleAssignmentFileFormatAPI(username=user_db.name,
roles=['role_3'])
syncer.sync_users_role_assignments(role_assignment_apis=[api])
role_dbs = get_roles_for_user(user_db=user_db)
self.assertEqual(len(role_dbs), 1)
self.assertEqual(role_dbs[0], self.roles['role_3'])
def test_sync_user_assignments_multiple_sources_same_role_assignment(self):
syncer = RBACDefinitionsDBSyncer()
self._insert_mock_roles()
# Initial state, no roles
role_dbs = rbac_service.get_roles_for_user(
user_db=self.users['user_2'])
self.assertItemsEqual(role_dbs, [])
# Do the sync with role defined in separate files
assignment1 = UserRoleAssignmentFileFormatAPI(
username='******',
roles=['role_1'],
file_path='assignments/user2a.yaml')
assignment2 = UserRoleAssignmentFileFormatAPI(
username='******',
roles=['role_1'],
file_path='assignments/user2b.yaml')
syncer.sync_users_role_assignments(
role_assignment_apis=[assignment1, assignment2])
role_dbs = rbac_service.get_roles_for_user(
user_db=self.users['user_2'])
self.assertEqual(len(role_dbs), 1)
self.assertEqual(role_dbs[0], self.roles['role_1'])
role_assignment_dbs = rbac_service.get_role_assignments_for_user(
user_db=self.users['user_2'])
self.assertEqual(len(role_assignment_dbs), 2)
sources = [r.source for r in role_assignment_dbs]
self.assertIn('assignments/user2a.yaml', sources)
self.assertIn('assignments/user2b.yaml', sources)
# Do another sync with one assignment file removed - only one assignment should be left
syncer.sync_users_role_assignments(role_assignment_apis=[assignment2])
role_dbs = rbac_service.get_roles_for_user(
user_db=self.users['user_2'])
self.assertEqual(len(role_dbs), 1)
self.assertEqual(role_dbs[0], self.roles['role_1'])
role_assignment_dbs = rbac_service.get_role_assignments_for_user(
user_db=self.users['user_2'])
self.assertEqual(len(role_assignment_dbs), 1)
sources = [r.source for r in role_assignment_dbs]
self.assertIn('assignments/user2b.yaml', sources)
def test_sync_remote_assignments_are_not_manipulated(self):
# Verify remote assignments are not manipulated.
syncer = RBACDefinitionsDBSyncer()
self._insert_mock_roles()
# Initial state, no roles
user_db = UserDB(name='doesntexistwhaha')
role_dbs = get_roles_for_user(user_db=user_db)
self.assertItemsEqual(role_dbs, [])
# Create mock remote role assignment
role_db = self.roles['role_3']
source = 'assignments/%s.yaml' % user_db.name
role_assignment_db = assign_role_to_user(role_db=role_db,
user_db=user_db,
source=source,
is_remote=True)
self.assertTrue(role_assignment_db.is_remote)
# Verify assignment has been created
role_dbs = get_roles_for_user(user_db=user_db)
self.assertItemsEqual(role_dbs, [self.roles['role_3']])
# Do the sync with two roles defined - verify remote role assignment hasn't been
# manipulated with.
api = UserRoleAssignmentFileFormatAPI(username=user_db.name,
roles=['role_1', 'role_2'],
file_path='assignments/%s.yaml' %
user_db.name)
syncer.sync_users_role_assignments(role_assignment_apis=[api])
role_dbs = get_roles_for_user(user_db=user_db)
self.assertEqual(len(role_dbs), 3)
self.assertEqual(role_dbs[0], self.roles['role_1'])
self.assertEqual(role_dbs[1], self.roles['role_2'])
self.assertEqual(role_dbs[2], self.roles['role_3'])
# Do sync with no roles - verify all roles except remote one are removed.
api = UserRoleAssignmentFileFormatAPI(username=user_db.name,
roles=[],
file_path='assignments/%s.yaml' %
user_db.name)
syncer.sync_users_role_assignments(role_assignment_apis=[api])
role_dbs = get_roles_for_user(user_db=user_db)
self.assertEqual(len(role_dbs), 1)
self.assertEqual(role_dbs[0], self.roles['role_3'])
def test_sync_role_assignments_no_assignment_file_on_disk(self):
syncer = RBACDefinitionsDBSyncer()
self._insert_mock_roles()
# Initial state, no roles
user_db = self.users['user_3']
role_dbs = get_roles_for_user(user_db=user_db)
self.assertItemsEqual(role_dbs, [])
# Do the sync with two roles defined
api = UserRoleAssignmentFileFormatAPI(username=user_db.name,
roles=['role_1', 'role_2'],
file_path='assignments/%s.yaml' %
user_db.name)
syncer.sync_users_role_assignments(role_assignment_apis=[api])
role_dbs = get_roles_for_user(user_db=user_db)
self.assertEqual(len(role_dbs), 2)
self.assertEqual(role_dbs[0], self.roles['role_1'])
self.assertEqual(role_dbs[1], self.roles['role_2'])
# Do the sync with no roles - existing assignments should be removed from the databse
syncer.sync_users_role_assignments(role_assignment_apis=[])
role_dbs = get_roles_for_user(user_db=user_db)
self.assertEqual(len(role_dbs), 0)
def test_sync_assignments_user_doesnt_exist_in_db(self):
# Make sure that the assignments for the users which don't exist in the db are still saved
syncer = RBACDefinitionsDBSyncer()
self._insert_mock_roles()
username = '******'
# Initial state, no roles
user_db = UserDB(name=username)
self.assertEqual(len(User.query(name=username)), 0)
role_dbs = get_roles_for_user(user_db=user_db)
self.assertItemsEqual(role_dbs, [])
# Do the sync with two roles defined
api = UserRoleAssignmentFileFormatAPI(
username=user_db.name,
roles=['role_1', 'role_2'],
file_path='assignments/foobar.yaml')
syncer.sync_users_role_assignments(role_assignment_apis=[api])
role_dbs = get_roles_for_user(user_db=user_db)
self.assertEqual(len(role_dbs), 2)
self.assertEqual(role_dbs[0], self.roles['role_1'])
self.assertEqual(role_dbs[1], self.roles['role_2'])
def test_sync_user_assignments_multiple_custom_roles_assignments(self):
syncer = RBACDefinitionsDBSyncer()
self._insert_mock_roles()
# Initial state, no roles
role_dbs = get_roles_for_user(user_db=self.users['user_2'])
self.assertItemsEqual(role_dbs, [])
# Do the sync with two roles defined
api = UserRoleAssignmentFileFormatAPI(
username='******',
roles=['role_1', 'role_2'],
file_path='assignments/user2.yaml')
syncer.sync_users_role_assignments(role_assignment_apis=[api])
role_dbs = get_roles_for_user(user_db=self.users['user_2'])
self.assertEqual(len(role_dbs), 2)
self.assertEqual(role_dbs[0], self.roles['role_1'])
self.assertEqual(role_dbs[1], self.roles['role_2'])
role_assignment_dbs = get_role_assignments_for_user(
user_db=self.users['user_2'])
self.assertEqual(len(role_assignment_dbs), 2)
self.assertEqual(role_assignment_dbs[0].source,
'assignments/user2.yaml')
self.assertEqual(role_assignment_dbs[1].source,
'assignments/user2.yaml')
def test_sync_user_assignments_single_role_assignment(self):
syncer = RBACDefinitionsDBSyncer()
self._insert_mock_roles()
# Initial state, no roles
role_dbs = rbac_service.get_roles_for_user(
user_db=self.users['user_1'])
self.assertItemsEqual(role_dbs, [])
# Do the sync with a single role defined
api = UserRoleAssignmentFileFormatAPI(
username='******',
roles=['role_1'],
file_path='assignments/user1.yaml')
syncer.sync_users_role_assignments(role_assignment_apis=[api])
role_dbs = rbac_service.get_roles_for_user(
user_db=self.users['user_1'])
self.assertItemsEqual(role_dbs, [self.roles['role_1']])
role_assignment_dbs = rbac_service.get_role_assignments_for_user(
user_db=self.users['user_1'])
self.assertEqual(len(role_assignment_dbs), 1)
self.assertEqual(role_assignment_dbs[0].source,
'assignments/user1.yaml')
def load_user_role_assignments_from_file(self, file_path):
"""
Load user role assignments from file.
:param file_path: Path to the user role assignment file.
:type file_path: ``str``
:return: User role assignments.
:rtype: :class:`UserRoleAssignmentFileFormatAPI`
"""
content = self._meta_loader.load(file_path)
user_role_assignment_api = UserRoleAssignmentFileFormatAPI(**content)
user_role_assignment_api.validate()
return user_role_assignment_api
def load_user_role_assignments_from_file(self, file_path):
"""
Load user role assignments from file.
:param file_path: Path to the user role assignment file.
:type file_path: ``str``
:return: User role assignments.
:rtype: :class:`UserRoleAssignmentFileFormatAPI`
"""
content = self._meta_loader.load(file_path)
if not content:
msg = ('Role assignment file "%s" is empty and invalid' % file_path)
raise ValueError(msg)
user_role_assignment_api = UserRoleAssignmentFileFormatAPI(**content)
user_role_assignment_api.validate()
return user_role_assignment_api
def load_user_role_assignments_from_file(self, file_path):
"""
Load user role assignments from file.
:param file_path: Path to the user role assignment file.
:type file_path: ``str``
:return: User role assignments.
:rtype: :class:`UserRoleAssignmentFileFormatAPI`
"""
content = self._meta_loader.load(file_path)
if not content:
msg = ('Role assignment file "%s" is empty and invalid' % file_path)
raise ValueError(msg)
user_role_assignment_api = UserRoleAssignmentFileFormatAPI(**content)
user_role_assignment_api.file_path = file_path[file_path.rfind('assignments/'):]
user_role_assignment_api = user_role_assignment_api.validate()
return user_role_assignment_api
def test_sync_user_assignments_single_role_assignment(self):
syncer = RBACDefinitionsDBSyncer()
self._insert_mock_roles()
# Initial state, no roles
role_dbs = get_roles_for_user(user_db=self.users['user_1'])
self.assertItemsEqual(role_dbs, [])
# Do the sync with a single role defined
api = UserRoleAssignmentFileFormatAPI(username='******',
roles=['role_1'])
syncer.sync_users_role_assignments(role_assignment_apis=[api])
role_dbs = get_roles_for_user(user_db=self.users['user_1'])
self.assertItemsEqual(role_dbs, [self.roles['role_1']])
def test_sync_user_assignments_role_doesnt_exist_in_db(self):
syncer = RBACDefinitionsDBSyncer()
self._insert_mock_roles()
# Initial state, no roles
role_dbs = get_roles_for_user(user_db=self.users['user_2'])
self.assertItemsEqual(role_dbs, [])
# Do the sync with role defined in separate files
assignment1 = UserRoleAssignmentFileFormatAPI(
username='******', roles=['doesnt_exist'], file_path='assignments/user2.yaml')
expected_msg = ('Role "doesnt_exist" referenced in assignment file '
'"assignments/user2.yaml" doesn\'t exist')
self.assertRaisesRegexp(ValueError, expected_msg, syncer.sync_users_role_assignments,
role_assignment_apis=[assignment1])
