def test_sync_roles_single_role_definition_two_grants(self): syncer = RBACDefinitionsDBSyncer() # One role with two grants permission_grants = [{ 'resource_uid': 'pack:mapack1', 'permission_types': ['pack_all'] }, { 'resource_uid': 'pack:mapack2', 'permission_types': ['rule_view', 'action_view'] }] api = RoleDefinitionFileFormatAPI(name='test_role_2', description='test description 2', permission_grants=permission_grants) created_role_dbs, deleted_role_dbs = syncer.sync_roles( role_definition_apis=[api]) self.assertEqual(len(created_role_dbs), 1) self.assertItemsEqual(deleted_role_dbs, []) self.assertEqual(created_role_dbs[0].name, 'test_role_2') self.assertEqual(created_role_dbs[0].description, 'test description 2') self.assertEqual(len(created_role_dbs[0].permission_grants), 2) # Assert role and grants have been created in the DB self.assertRoleDBObjectExists(role_db=created_role_dbs[0]) for permission_grant_id in created_role_dbs[0].permission_grants: self.assertGrantDBObjectExists(permission_grant_id)
def test_sync_roles_no_definitions(self): syncer = RBACDefinitionsDBSyncer() # No definitions created_role_dbs, deleted_role_dbs = syncer.sync_roles(role_definition_apis=[]) self.assertItemsEqual(created_role_dbs, []) self.assertItemsEqual(deleted_role_dbs, [])
def test_sync_user_assignments_locally_removed_assignments_are_removed_from_db(self): syncer = RBACDefinitionsDBSyncer() self._insert_mock_roles() # Initial state, no roles role_dbs = get_roles_for_user(user_db=self.users['user_2']) self.assertItemsEqual(role_dbs, []) # Do the sync with two roles defined api = UserRoleAssignmentFileFormatAPI(username='******', roles=['role_1', 'role_2']) syncer.sync_users_role_assignments(role_assignment_apis=[api]) role_dbs = get_roles_for_user(user_db=self.users['user_2']) self.assertTrue(len(role_dbs), 2) self.assertEqual(role_dbs[0], self.roles['role_1']) self.assertEqual(role_dbs[1], self.roles['role_2']) # Do the sync with one role defined (one should be removed from the db) api = UserRoleAssignmentFileFormatAPI(username='******', roles=['role_2']) syncer.sync_users_role_assignments(role_assignment_apis=[api]) role_dbs = get_roles_for_user(user_db=self.users['user_2']) self.assertTrue(len(role_dbs), 1) self.assertEqual(role_dbs[0], self.roles['role_2'])
def test_sync_roles_single_role_definition_two_grants(self): syncer = RBACDefinitionsDBSyncer() # One role with two grants permission_grants = [ { 'resource_uid': 'pack:mapack1', 'permission_types': ['pack_all'] }, { 'resource_uid': 'pack:mapack2', 'permission_types': ['rule_view', 'action_view'] } ] api = RoleDefinitionFileFormatAPI(name='test_role_2', description='test description 2', permission_grants=permission_grants) created_role_dbs, deleted_role_dbs = syncer.sync_roles(role_definition_apis=[api]) self.assertEqual(len(created_role_dbs), 1) self.assertItemsEqual(deleted_role_dbs, []) self.assertEqual(created_role_dbs[0].name, 'test_role_2') self.assertEqual(created_role_dbs[0].description, 'test description 2') self.assertEqual(len(created_role_dbs[0].permission_grants), 2) # Assert role and grants have been created in the DB self.assertRoleDBObjectExists(role_db=created_role_dbs[0]) for permission_grant_id in created_role_dbs[0].permission_grants: self.assertGrantDBObjectExists(permission_grant_id)
def test_sync_assignments_user_doesnt_exist_in_db(self): # Make sure that the assignments for the users which don't exist in the db are still saved syncer = RBACDefinitionsDBSyncer() self._insert_mock_roles() username = '******' # Initial state, no roles user_db = UserDB(name=username) self.assertEqual(len(User.query(name=username)), 0) role_dbs = get_roles_for_user(user_db=user_db) self.assertItemsEqual(role_dbs, []) # Do the sync with two roles defined api = UserRoleAssignmentFileFormatAPI( username=user_db.name, roles=['role_1', 'role_2'], file_path='assignments/foobar.yaml') syncer.sync_users_role_assignments(role_assignment_apis=[api]) role_dbs = get_roles_for_user(user_db=user_db) self.assertEqual(len(role_dbs), 2) self.assertEqual(role_dbs[0], self.roles['role_1']) self.assertEqual(role_dbs[1], self.roles['role_2'])
def test_sync_user_assignments_multiple_custom_roles_assignments(self): syncer = RBACDefinitionsDBSyncer() self._insert_mock_roles() # Initial state, no roles role_dbs = get_roles_for_user(user_db=self.users['user_2']) self.assertItemsEqual(role_dbs, []) # Do the sync with two roles defined api = UserRoleAssignmentFileFormatAPI( username='******', roles=['role_1', 'role_2'], file_path='assignments/user2.yaml') syncer.sync_users_role_assignments(role_assignment_apis=[api]) role_dbs = get_roles_for_user(user_db=self.users['user_2']) self.assertEqual(len(role_dbs), 2) self.assertEqual(role_dbs[0], self.roles['role_1']) self.assertEqual(role_dbs[1], self.roles['role_2']) role_assignment_dbs = get_role_assignments_for_user( user_db=self.users['user_2']) self.assertEqual(len(role_assignment_dbs), 2) self.assertEqual(role_assignment_dbs[0].source, 'assignments/user2.yaml') self.assertEqual(role_assignment_dbs[1].source, 'assignments/user2.yaml')
def test_sync_roles_locally_removed_roles_are_removed_from_db(self): syncer = RBACDefinitionsDBSyncer() # Initial state, DB is empty, we sync with two roles defined on disk self.assertEqual(len(Role.get_all()), 0) api1 = RoleDefinitionFileFormatAPI(name='test_role_1', description='test description 1', permission_grants=[]) api2 = RoleDefinitionFileFormatAPI(name='test_role_2', description='test description 2', permission_grants=[]) created_role_dbs, deleted_role_dbs = syncer.sync_roles(role_definition_apis=[api1, api2]) self.assertEqual(len(created_role_dbs), 2) self.assertItemsEqual(deleted_role_dbs, []) # Assert role and grants have been created in the DB self.assertEqual(len(Role.get_all()), 2) self.assertRoleDBObjectExists(role_db=created_role_dbs[0]) self.assertRoleDBObjectExists(role_db=created_role_dbs[1]) # We sync again, this time with one role (role 1) removed locally created_role_dbs, deleted_role_dbs = syncer.sync_roles(role_definition_apis=[api2]) self.assertEqual(len(created_role_dbs), 1) self.assertEqual(len(deleted_role_dbs), 2) # Assert role and grants have been created in the DB self.assertEqual(len(Role.get_all()), 1) self.assertRoleDBObjectExists(role_db=created_role_dbs[0]) self.assertEqual(Role.get_all()[0].name, 'test_role_2')
def test_sync_role_assignments_no_assignment_file_on_disk(self): syncer = RBACDefinitionsDBSyncer() self._insert_mock_roles() # Initial state, no roles user_db = self.users['user_3'] role_dbs = get_roles_for_user(user_db=user_db) self.assertItemsEqual(role_dbs, []) # Do the sync with two roles defined api = UserRoleAssignmentFileFormatAPI( username=user_db.name, roles=['role_1', 'role_2'], file_path='assignments/%s.yaml' % user_db.name) syncer.sync_users_role_assignments(role_assignment_apis=[api]) role_dbs = get_roles_for_user(user_db=user_db) self.assertEqual(len(role_dbs), 2) self.assertEqual(role_dbs[0], self.roles['role_1']) self.assertEqual(role_dbs[1], self.roles['role_2']) # Do the sync with no roles - existing assignments should be removed from the databse syncer.sync_users_role_assignments(role_assignment_apis=[]) role_dbs = get_roles_for_user(user_db=user_db) self.assertEqual(len(role_dbs), 0)
def test_sync_assignments_are_removed_user_doesnt_exist_in_db(self): # Make sure that the assignments for the users which don't exist in the db are correctly # removed syncer = RBACDefinitionsDBSyncer() self._insert_mock_roles() username = '******' # Initial state, no roles user_db = UserDB(name=username) self.assertEqual(len(User.query(name=username)), 0) role_dbs = get_roles_for_user(user_db=user_db) self.assertItemsEqual(role_dbs, []) # Do the sync with two roles defined api = UserRoleAssignmentFileFormatAPI(username=user_db.name, roles=['role_1', 'role_2']) syncer.sync_users_role_assignments(role_assignment_apis=[api]) role_dbs = get_roles_for_user(user_db=user_db) self.assertEqual(len(role_dbs), 2) self.assertEqual(role_dbs[0], self.roles['role_1']) self.assertEqual(role_dbs[1], self.roles['role_2']) # Sync with no roles on disk - existing roles should be removed syncer.sync_users_role_assignments(role_assignment_apis=[]) role_dbs = get_roles_for_user(user_db=user_db) self.assertEqual(len(role_dbs), 0) username = '******' # Initial state, no roles user_db = UserDB(name=username) self.assertEqual(len(User.query(name=username)), 0) role_dbs = get_roles_for_user(user_db=user_db) self.assertItemsEqual(role_dbs, []) # Do the sync with three roles defined api = UserRoleAssignmentFileFormatAPI(username=user_db.name, roles=['role_1', 'role_2', 'role_3']) syncer.sync_users_role_assignments(role_assignment_apis=[api]) role_dbs = get_roles_for_user(user_db=user_db) self.assertEqual(len(role_dbs), 3) self.assertEqual(role_dbs[0], self.roles['role_1']) self.assertEqual(role_dbs[1], self.roles['role_2']) self.assertEqual(role_dbs[2], self.roles['role_3']) # Sync with one role on disk - two roles should be removed api = UserRoleAssignmentFileFormatAPI(username=user_db.name, roles=['role_3']) syncer.sync_users_role_assignments(role_assignment_apis=[api]) role_dbs = get_roles_for_user(user_db=user_db) self.assertEqual(len(role_dbs), 1) self.assertEqual(role_dbs[0], self.roles['role_3'])
def apply_definitions(): loader = RBACDefinitionsLoader() result = loader.load() role_definition_apis = result['roles'].values() role_assignment_apis = result['role_assignments'].values() syncer = RBACDefinitionsDBSyncer() result = syncer.sync(role_definition_apis=role_definition_apis, role_assignment_apis=role_assignment_apis) return result
def apply_definitions(): loader = RBACDefinitionsLoader() result = loader.load() role_definition_apis = list(result['roles'].values()) role_assignment_apis = list(result['role_assignments'].values()) group_to_role_map_apis = list(result['group_to_role_maps'].values()) syncer = RBACDefinitionsDBSyncer() result = syncer.sync(role_definition_apis=role_definition_apis, role_assignment_apis=role_assignment_apis, group_to_role_map_apis=group_to_role_map_apis) return result
def test_sync_roles_single_role_definition_no_grants(self): syncer = RBACDefinitionsDBSyncer() # One role with no grants api = RoleDefinitionFileFormatAPI(name='test_role_1', description='test description 1', permission_grants=[]) created_role_dbs, deleted_role_dbs = syncer.sync_roles(role_definition_apis=[api]) self.assertEqual(len(created_role_dbs), 1) self.assertItemsEqual(deleted_role_dbs, []) self.assertEqual(created_role_dbs[0].name, 'test_role_1') self.assertEqual(created_role_dbs[0].description, 'test description 1') self.assertItemsEqual(created_role_dbs[0].permission_grants, []) # Assert role has been created in the DB self.assertRoleDBObjectExists(role_db=created_role_dbs[0])
def test_sync_user_assignments_single_role_assignment(self): syncer = RBACDefinitionsDBSyncer() self._insert_mock_roles() # Initial state, no roles role_dbs = get_roles_for_user(user_db=self.users['user_1']) self.assertItemsEqual(role_dbs, []) # Do the sync with a single role defined api = UserRoleAssignmentFileFormatAPI(username='******', roles=['role_1']) syncer.sync_users_role_assignments(role_assignment_apis=[api]) role_dbs = get_roles_for_user(user_db=self.users['user_1']) self.assertItemsEqual(role_dbs, [self.roles['role_1']])
def test_sync_user_assignments_assignments_without_is_remote_are_deleted(self): # Test case which verifies roles without "is_remote" field (pre v2.3) are removed from the # database syncer = RBACDefinitionsDBSyncer() self._insert_mock_roles() # Initial state, 4 roles role_assignment_dbs = get_role_assignments_for_user(user_db=self.users['user_5']) self.assertEqual(len(role_assignment_dbs), 4) # All 3 non remote roles should have been deleted syncer.sync_users_role_assignments(role_assignment_apis=[]) role_assignment_dbs = get_role_assignments_for_user(user_db=self.users['user_5']) self.assertEqual(len(role_assignment_dbs), 1) self.assertEqual(role_assignment_dbs[0].role, 'role_4') self.assertEqual(role_assignment_dbs[0].is_remote, True)
def test_sync_remote_assignments_are_not_manipulated(self): # Verify remote assignments are not manipulated. syncer = RBACDefinitionsDBSyncer() self._insert_mock_roles() # Initial state, no roles user_db = UserDB(name='doesntexistwhaha') role_dbs = get_roles_for_user(user_db=user_db) self.assertItemsEqual(role_dbs, []) # Create mock remote role assignment role_db = self.roles['role_3'] source = 'assignments/%s.yaml' % user_db.name role_assignment_db = assign_role_to_user( role_db=role_db, user_db=user_db, source=source, is_remote=True) self.assertTrue(role_assignment_db.is_remote) # Verify assignment has been created role_dbs = get_roles_for_user(user_db=user_db) self.assertItemsEqual(role_dbs, [self.roles['role_3']]) # Do the sync with two roles defined - verify remote role assignment hasn't been # manipulated with. api = UserRoleAssignmentFileFormatAPI( username=user_db.name, roles=['role_1', 'role_2'], file_path='assignments/%s.yaml' % user_db.name) syncer.sync_users_role_assignments(role_assignment_apis=[api]) role_dbs = get_roles_for_user(user_db=user_db) self.assertEqual(len(role_dbs), 3) self.assertEqual(role_dbs[0], self.roles['role_1']) self.assertEqual(role_dbs[1], self.roles['role_2']) self.assertEqual(role_dbs[2], self.roles['role_3']) # Do sync with no roles - verify all roles except remote one are removed. api = UserRoleAssignmentFileFormatAPI( username=user_db.name, roles=[], file_path='assignments/%s.yaml' % user_db.name) syncer.sync_users_role_assignments(role_assignment_apis=[api]) role_dbs = get_roles_for_user(user_db=user_db) self.assertEqual(len(role_dbs), 1) self.assertEqual(role_dbs[0], self.roles['role_3'])
def test_sync_user_assignments_multiple_custom_roles_assignments(self): syncer = RBACDefinitionsDBSyncer() self._insert_mock_roles() # Initial state, no roles role_dbs = get_roles_for_user(user_db=self.users['user_2']) self.assertItemsEqual(role_dbs, []) # Do the sync with two roles defined api = UserRoleAssignmentFileFormatAPI(username='******', roles=['role_1', 'role_2']) syncer.sync_users_role_assignments(role_assignment_apis=[api]) role_dbs = get_roles_for_user(user_db=self.users['user_2']) self.assertTrue(len(role_dbs), 2) self.assertEqual(role_dbs[0], self.roles['role_1']) self.assertEqual(role_dbs[1], self.roles['role_2'])
def test_sync_assignments_user_doesnt_exist_in_db(self): # Make sure that the assignments for the users which don't exist in the db are still saved syncer = RBACDefinitionsDBSyncer() self._insert_mock_roles() # Initial state, no roles user_db = UserDB(name='doesntexistwhaha') role_dbs = get_roles_for_user(user_db=user_db) self.assertItemsEqual(role_dbs, []) # Do the sync with two roles defined api = UserRoleAssignmentFileFormatAPI(username=user_db.name, roles=['role_1', 'role_2']) syncer.sync_users_role_assignments(role_assignment_apis=[api]) role_dbs = get_roles_for_user(user_db=user_db) self.assertTrue(len(role_dbs), 2) self.assertEqual(role_dbs[0], self.roles['role_1']) self.assertEqual(role_dbs[1], self.roles['role_2'])
def test_sync_user_assignments_multiple_sources_same_role_assignment(self): syncer = RBACDefinitionsDBSyncer() self._insert_mock_roles() # Initial state, no roles role_dbs = get_roles_for_user(user_db=self.users['user_2']) self.assertItemsEqual(role_dbs, []) # Do the sync with role defined in separate files assignment1 = UserRoleAssignmentFileFormatAPI( username='******', roles=['role_1'], file_path='assignments/user2a.yaml') assignment2 = UserRoleAssignmentFileFormatAPI( username='******', roles=['role_1'], file_path='assignments/user2b.yaml') syncer.sync_users_role_assignments(role_assignment_apis=[assignment1, assignment2]) role_dbs = get_roles_for_user(user_db=self.users['user_2']) self.assertEqual(len(role_dbs), 1) self.assertEqual(role_dbs[0], self.roles['role_1']) role_assignment_dbs = get_role_assignments_for_user(user_db=self.users['user_2']) self.assertEqual(len(role_assignment_dbs), 2) sources = [r.source for r in role_assignment_dbs] self.assertIn('assignments/user2a.yaml', sources) self.assertIn('assignments/user2b.yaml', sources) # Do another sync with one assignment file removed - only one assignment should be left syncer.sync_users_role_assignments(role_assignment_apis=[assignment2]) role_dbs = get_roles_for_user(user_db=self.users['user_2']) self.assertEqual(len(role_dbs), 1) self.assertEqual(role_dbs[0], self.roles['role_1']) role_assignment_dbs = get_role_assignments_for_user(user_db=self.users['user_2']) self.assertEqual(len(role_assignment_dbs), 1) sources = [r.source for r in role_assignment_dbs] self.assertIn('assignments/user2b.yaml', sources)
def test_sync_role_assignments_no_assignment_file_on_disk(self): syncer = RBACDefinitionsDBSyncer() self._insert_mock_roles() # Initial state, no roles user_db = self.users['user_3'] role_dbs = get_roles_for_user(user_db=user_db) self.assertItemsEqual(role_dbs, []) # Do the sync with two roles defined api = UserRoleAssignmentFileFormatAPI(username=user_db.name, roles=['role_1', 'role_2']) syncer.sync_users_role_assignments(role_assignment_apis=[api]) role_dbs = get_roles_for_user(user_db=user_db) self.assertEqual(len(role_dbs), 2) self.assertEqual(role_dbs[0], self.roles['role_1']) self.assertEqual(role_dbs[1], self.roles['role_2']) # Do the sync with no roles - existing assignments should be removed from the databse syncer.sync_users_role_assignments(role_assignment_apis=[]) role_dbs = get_roles_for_user(user_db=user_db) self.assertEqual(len(role_dbs), 0)
def test_sync_user_assignments_locally_removed_assignments_are_removed_from_db(self): syncer = RBACDefinitionsDBSyncer() self._insert_mock_roles() # Initial state, no roles role_dbs = get_roles_for_user(user_db=self.users['user_2']) self.assertItemsEqual(role_dbs, []) # Do the sync with two roles defined api = UserRoleAssignmentFileFormatAPI(username='******', roles=['role_1', 'role_2']) syncer.sync_users_role_assignments(role_assignment_apis=[api]) role_dbs = get_roles_for_user(user_db=self.users['user_2']) self.assertEqual(len(role_dbs), 2) self.assertEqual(role_dbs[0], self.roles['role_1']) self.assertEqual(role_dbs[1], self.roles['role_2']) # Do the sync with one role defined (one should be removed from the db) api = UserRoleAssignmentFileFormatAPI(username='******', roles=['role_2']) syncer.sync_users_role_assignments(role_assignment_apis=[api]) role_dbs = get_roles_for_user(user_db=self.users['user_2']) self.assertEqual(len(role_dbs), 1) self.assertEqual(role_dbs[0], self.roles['role_2'])
def test_sync_user_assignments_role_doesnt_exist_in_db(self): syncer = RBACDefinitionsDBSyncer() self._insert_mock_roles() # Initial state, no roles role_dbs = get_roles_for_user(user_db=self.users['user_2']) self.assertItemsEqual(role_dbs, []) # Do the sync with role defined in separate files assignment1 = UserRoleAssignmentFileFormatAPI( username='******', roles=['doesnt_exist'], file_path='assignments/user2.yaml') expected_msg = ('Role "doesnt_exist" referenced in assignment file ' '"assignments/user2.yaml" doesn\'t exist') self.assertRaisesRegexp(ValueError, expected_msg, syncer.sync_users_role_assignments, role_assignment_apis=[assignment1])
def test_sync_remote_assignments_are_not_manipulated(self): # Verify remote assignments are not manipulated. syncer = RBACDefinitionsDBSyncer() self._insert_mock_roles() # Initial state, no roles user_db = UserDB(name='doesntexistwhaha') role_dbs = get_roles_for_user(user_db=user_db) self.assertItemsEqual(role_dbs, []) # Create mock remote role assignment role_db = self.roles['role_3'] source = 'assignments/%s.yaml' % user_db.name role_assignment_db = assign_role_to_user(role_db=role_db, user_db=user_db, source=source, is_remote=True) self.assertTrue(role_assignment_db.is_remote) # Verify assignment has been created role_dbs = get_roles_for_user(user_db=user_db) self.assertItemsEqual(role_dbs, [self.roles['role_3']]) # Do the sync with two roles defined - verify remote role assignment hasn't been # manipulated with. api = UserRoleAssignmentFileFormatAPI(username=user_db.name, roles=['role_1', 'role_2'], file_path='assignments/%s.yaml' % user_db.name) syncer.sync_users_role_assignments(role_assignment_apis=[api]) role_dbs = get_roles_for_user(user_db=user_db) self.assertEqual(len(role_dbs), 3) self.assertEqual(role_dbs[0], self.roles['role_1']) self.assertEqual(role_dbs[1], self.roles['role_2']) self.assertEqual(role_dbs[2], self.roles['role_3']) # Do sync with no roles - verify all roles except remote one are removed. api = UserRoleAssignmentFileFormatAPI(username=user_db.name, roles=[], file_path='assignments/%s.yaml' % user_db.name) syncer.sync_users_role_assignments(role_assignment_apis=[api]) role_dbs = get_roles_for_user(user_db=user_db) self.assertEqual(len(role_dbs), 1) self.assertEqual(role_dbs[0], self.roles['role_3'])
def test_sync_user_assignments_multiple_sources_same_role_assignment(self): syncer = RBACDefinitionsDBSyncer() self._insert_mock_roles() # Initial state, no roles role_dbs = get_roles_for_user(user_db=self.users['user_2']) self.assertItemsEqual(role_dbs, []) # Do the sync with role defined in separate files assignment1 = UserRoleAssignmentFileFormatAPI( username='******', roles=['role_1'], file_path='assignments/user2a.yaml') assignment2 = UserRoleAssignmentFileFormatAPI( username='******', roles=['role_1'], file_path='assignments/user2b.yaml') syncer.sync_users_role_assignments( role_assignment_apis=[assignment1, assignment2]) role_dbs = get_roles_for_user(user_db=self.users['user_2']) self.assertEqual(len(role_dbs), 1) self.assertEqual(role_dbs[0], self.roles['role_1']) role_assignment_dbs = get_role_assignments_for_user( user_db=self.users['user_2']) self.assertEqual(len(role_assignment_dbs), 2) sources = [r.source for r in role_assignment_dbs] self.assertIn('assignments/user2a.yaml', sources) self.assertIn('assignments/user2b.yaml', sources) # Do another sync with one assignment file removed - only one assignment should be left syncer.sync_users_role_assignments(role_assignment_apis=[assignment2]) role_dbs = get_roles_for_user(user_db=self.users['user_2']) self.assertEqual(len(role_dbs), 1) self.assertEqual(role_dbs[0], self.roles['role_1']) role_assignment_dbs = get_role_assignments_for_user( user_db=self.users['user_2']) self.assertEqual(len(role_assignment_dbs), 1) sources = [r.source for r in role_assignment_dbs] self.assertIn('assignments/user2b.yaml', sources)
def test_sync_assignments_are_removed_user_doesnt_exist_in_db(self): # Make sure that the assignments for the users which don't exist in the db are correctly # removed syncer = RBACDefinitionsDBSyncer() self._insert_mock_roles() username = '******' # Initial state, no roles user_db = UserDB(name=username) self.assertEqual(len(User.query(name=username)), 0) role_dbs = get_roles_for_user(user_db=user_db) self.assertItemsEqual(role_dbs, []) # Do the sync with two roles defined api = UserRoleAssignmentFileFormatAPI( username=user_db.name, roles=['role_1', 'role_2'], file_path='assignments/%s.yaml' % user_db.name) syncer.sync_users_role_assignments(role_assignment_apis=[api]) role_dbs = get_roles_for_user(user_db=user_db) self.assertEqual(len(role_dbs), 2) self.assertEqual(role_dbs[0], self.roles['role_1']) self.assertEqual(role_dbs[1], self.roles['role_2']) # Sync with no roles on disk - existing roles should be removed syncer.sync_users_role_assignments(role_assignment_apis=[]) role_dbs = get_roles_for_user(user_db=user_db) self.assertEqual(len(role_dbs), 0) username = '******' # Initial state, no roles user_db = UserDB(name=username) self.assertEqual(len(User.query(name=username)), 0) role_dbs = get_roles_for_user(user_db=user_db) self.assertItemsEqual(role_dbs, []) # Do the sync with three roles defined api = UserRoleAssignmentFileFormatAPI( username=user_db.name, roles=['role_1', 'role_2', 'role_3'], file_path='assignments/%s.yaml' % user_db.name) syncer.sync_users_role_assignments(role_assignment_apis=[api]) role_dbs = get_roles_for_user(user_db=user_db) self.assertEqual(len(role_dbs), 3) self.assertEqual(role_dbs[0], self.roles['role_1']) self.assertEqual(role_dbs[1], self.roles['role_2']) self.assertEqual(role_dbs[2], self.roles['role_3']) role_assignment_dbs = get_role_assignments_for_user(user_db=user_db) self.assertEqual(len(role_assignment_dbs), 3) self.assertEqual(role_assignment_dbs[0].source, 'assignments/%s.yaml' % user_db.name) # Sync with one role on disk - two roles should be removed api = UserRoleAssignmentFileFormatAPI( username=user_db.name, roles=['role_3'], file_path='assignments/%s.yaml' % user_db.name) syncer.sync_users_role_assignments(role_assignment_apis=[api]) role_dbs = get_roles_for_user(user_db=user_db) self.assertEqual(len(role_dbs), 1) self.assertEqual(role_dbs[0], self.roles['role_3'])