def test_sync_user_same_role_granted_locally_and_remote_via_mapping(self): syncer = RBACRemoteGroupToRoleSyncer() user_db = self.users['user_6'] # Insert 2 local assignments for mock_role_7 role_db = create_role(name='mock_role_7') source = 'assignments/user_6_one.yaml' assign_role_to_user(role_db=role_db, user_db=user_db, source=source, is_remote=False) source = 'assignments/user_6_two.yaml' assign_role_to_user(role_db=role_db, user_db=user_db, source=source, is_remote=False) # Create mock mapping which maps CN=stormers,OU=groups,DC=stackstorm,DC=net # to "mock_role_7" create_group_to_role_map(group='CN=stormers,OU=groups,DC=stackstorm,DC=net', roles=['mock_role_7'], source='mappings/stormers.yaml') # Create mock mapping which maps CN=testers,OU=groups,DC=stackstorm,DC=net # to "mock_role_7" create_group_to_role_map(group='CN=testers,OU=groups,DC=stackstorm,DC=net', roles=['mock_role_7'], source='mappings/testers.yaml') groups = [ 'CN=stormers,OU=groups,DC=stackstorm,DC=net', 'CN=testers,OU=groups,DC=stackstorm,DC=net' ] result = syncer.sync(user_db=self.users['user_6'], groups=groups) created_role_assignment_dbs = result[0] removed_role_assignment_dbs = result[1] self.assertEqual(len(created_role_assignment_dbs), 2) self.assertEqual(created_role_assignment_dbs[0].role, 'mock_role_7') self.assertEqual(created_role_assignment_dbs[1].role, 'mock_role_7') self.assertEqual(removed_role_assignment_dbs, []) # There should be one role and 4 assignments for the same role role_dbs = get_roles_for_user(user_db=user_db, include_remote=True) self.assertEqual(len(role_dbs), 1) self.assertEqual(role_dbs[0].name, 'mock_role_7') role_assignment_dbs = get_role_assignments_for_user(user_db=self.users['user_6']) self.assertEqual(len(role_assignment_dbs), 4) self.assertEqual(role_assignment_dbs[0].source, 'assignments/user_6_one.yaml') self.assertEqual(role_assignment_dbs[1].source, 'assignments/user_6_two.yaml') self.assertEqual(role_assignment_dbs[2].source, 'mappings/stormers.yaml') self.assertEqual(role_assignment_dbs[3].source, 'mappings/testers.yaml') # Remove one remote group - should be 3 left groups = [ 'CN=stormers,OU=groups,DC=stackstorm,DC=net' ] result = syncer.sync(user_db=self.users['user_6'], groups=groups) role_dbs = get_roles_for_user(user_db=user_db, include_remote=True) self.assertEqual(len(role_dbs), 1) self.assertEqual(role_dbs[0].name, 'mock_role_7') role_assignment_dbs = get_role_assignments_for_user(user_db=self.users['user_6']) self.assertEqual(len(role_assignment_dbs), 3)
def test_sync_success_no_existing_remote_assignments(self): syncer = RBACRemoteGroupToRoleSyncer() user_db = self.users['user_1'] # Create mock mapping which maps CN=stormers,OU=groups,DC=stackstorm,DC=net # to "mock_remote_role_3" and "mock_remote_role_4" create_group_to_role_map( group='CN=stormers,OU=groups,DC=stackstorm,DC=net', roles=['mock_remote_role_3', 'mock_remote_role_4'], source='mappings/stormers.yaml') # Verify initial state role_dbs = get_roles_for_user(user_db=user_db, include_remote=True) self.assertEqual(len(role_dbs), 2) self.assertEqual(role_dbs[0], self.roles['mock_local_role_1']) role_assignment_dbs = get_role_assignments_for_user( user_db=self.users['user_1']) groups = [ 'CN=stormers,OU=groups,DC=stackstorm,DC=net', 'CN=testers,OU=groups,DC=stackstorm,DC=net', # We repeat the same group to validate that repated groups are correctly de-duplicated 'CN=stormers,OU=groups,DC=stackstorm,DC=net', ] result = syncer.sync(user_db=self.users['user_1'], groups=groups) created_role_assignment_dbs = result[0] removed_role_assignment_dbs = result[1] self.assertEqual(len(created_role_assignment_dbs), 2) self.assertEqual(created_role_assignment_dbs[0].role, 'mock_remote_role_3') self.assertEqual(created_role_assignment_dbs[1].role, 'mock_remote_role_4') self.assertEqual(removed_role_assignment_dbs, []) # User should have two new roles assigned now role_dbs = get_roles_for_user(user_db=user_db, include_remote=True) self.assertEqual(len(role_dbs), 4) self.assertEqual(role_dbs[0], self.roles['mock_local_role_1']) self.assertEqual(role_dbs[1], self.roles['mock_local_role_2']) self.assertEqual(role_dbs[2], self.roles['mock_remote_role_3']) self.assertEqual(role_dbs[3], self.roles['mock_remote_role_4']) role_assignment_dbs = get_role_assignments_for_user( user_db=self.users['user_1']) self.assertEqual(len(role_assignment_dbs), 4) self.assertEqual(role_assignment_dbs[2].source, 'mappings/stormers.yaml') self.assertEqual(role_assignment_dbs[3].source, 'mappings/stormers.yaml')
def test_sync_user_assignments_multiple_sources_same_role_assignment(self): syncer = RBACDefinitionsDBSyncer() self._insert_mock_roles() # Initial state, no roles role_dbs = get_roles_for_user(user_db=self.users['user_2']) self.assertItemsEqual(role_dbs, []) # Do the sync with role defined in separate files assignment1 = UserRoleAssignmentFileFormatAPI( username='******', roles=['role_1'], file_path='assignments/user2a.yaml') assignment2 = UserRoleAssignmentFileFormatAPI( username='******', roles=['role_1'], file_path='assignments/user2b.yaml') syncer.sync_users_role_assignments( role_assignment_apis=[assignment1, assignment2]) role_dbs = get_roles_for_user(user_db=self.users['user_2']) self.assertEqual(len(role_dbs), 1) self.assertEqual(role_dbs[0], self.roles['role_1']) role_assignment_dbs = get_role_assignments_for_user( user_db=self.users['user_2']) self.assertEqual(len(role_assignment_dbs), 2) sources = [r.source for r in role_assignment_dbs] self.assertIn('assignments/user2a.yaml', sources) self.assertIn('assignments/user2b.yaml', sources) # Do another sync with one assignment file removed - only one assignment should be left syncer.sync_users_role_assignments(role_assignment_apis=[assignment2]) role_dbs = get_roles_for_user(user_db=self.users['user_2']) self.assertEqual(len(role_dbs), 1) self.assertEqual(role_dbs[0], self.roles['role_1']) role_assignment_dbs = get_role_assignments_for_user( user_db=self.users['user_2']) self.assertEqual(len(role_assignment_dbs), 1) sources = [r.source for r in role_assignment_dbs] self.assertIn('assignments/user2b.yaml', sources)
def test_sync_user_assignments_multiple_custom_roles_assignments(self): syncer = RBACDefinitionsDBSyncer() self._insert_mock_roles() # Initial state, no roles role_dbs = get_roles_for_user(user_db=self.users['user_2']) self.assertItemsEqual(role_dbs, []) # Do the sync with two roles defined api = UserRoleAssignmentFileFormatAPI( username='******', roles=['role_1', 'role_2'], file_path='assignments/user2.yaml') syncer.sync_users_role_assignments(role_assignment_apis=[api]) role_dbs = get_roles_for_user(user_db=self.users['user_2']) self.assertEqual(len(role_dbs), 2) self.assertEqual(role_dbs[0], self.roles['role_1']) self.assertEqual(role_dbs[1], self.roles['role_2']) role_assignment_dbs = get_role_assignments_for_user( user_db=self.users['user_2']) self.assertEqual(len(role_assignment_dbs), 2) self.assertEqual(role_assignment_dbs[0].source, 'assignments/user2.yaml') self.assertEqual(role_assignment_dbs[1].source, 'assignments/user2.yaml')
def sync_users_role_assignments(self, role_assignment_apis): """ Synchronize role assignments for all the users in the database. :param role_assignment_apis: Role assignments API objects for the assignments loaded from the files. :type role_assignment_apis: ``list`` of :class:`UserRoleAssignmentFileFormatAPI` :return: Dictionary with created and removed role assignments for each user. :rtype: ``dict`` """ LOG.info("Synchronizing users role assignments...") username_to_role_assignment_map = dict([(api.username, api) for api in role_assignment_apis]) user_dbs = User.get_all() results = {} for user_db in user_dbs: username = user_db.name role_assignment_api = username_to_role_assignment_map.get(username, None) role_assignment_dbs = rbac_services.get_role_assignments_for_user(user_db=user_db) result = self._sync_user_role_assignments( user_db=user_db, role_assignment_dbs=role_assignment_dbs, role_assignment_api=role_assignment_api ) results[username] = result LOG.info("User role assignments synchronized") return results
def sync_users_role_assignments(self, role_assignment_apis): """ Synchronize role assignments for all the users in the database. :param role_assignment_apis: Role assignments API objects for the assignments loaded from the files. :type role_assignment_apis: ``list`` of :class:`UserRoleAssignmentFileFormatAPI` :return: Dictionary with created and removed role assignments for each user. :rtype: ``dict`` """ LOG.info('Synchronizing users role assignments...') user_dbs = User.get_all() username_to_user_db_map = dict([(user_db.name, user_db) for user_db in user_dbs]) results = {} for role_assignment_api in role_assignment_apis: username = role_assignment_api.username user_db = username_to_user_db_map.get(username, None) if not user_db: LOG.debug(('Skipping role assignments for user "%s" which doesn\'t exist in the ' 'database' % (username))) continue role_assignment_dbs = rbac_services.get_role_assignments_for_user(user_db=user_db) result = self._sync_user_role_assignments(user_db=user_db, role_assignment_dbs=role_assignment_dbs, role_assignment_api=role_assignment_api) results[username] = result LOG.info('User role assignments synchronized') return results
def test_sync_user_assignments_assignments_without_is_remote_are_deleted(self): # Test case which verifies roles without "is_remote" field (pre v2.3) are removed from the # database syncer = RBACDefinitionsDBSyncer() self._insert_mock_roles() # Initial state, 4 roles role_assignment_dbs = get_role_assignments_for_user(user_db=self.users['user_5']) self.assertEqual(len(role_assignment_dbs), 4) # All 3 non remote roles should have been deleted syncer.sync_users_role_assignments(role_assignment_apis=[]) role_assignment_dbs = get_role_assignments_for_user(user_db=self.users['user_5']) self.assertEqual(len(role_assignment_dbs), 1) self.assertEqual(role_assignment_dbs[0].role, 'role_4') self.assertEqual(role_assignment_dbs[0].is_remote, True)
def sync_users_role_assignments(self, role_assignment_apis): """ Synchronize role assignments for all the users in the database. :param role_assignment_apis: Role assignments API objects for the assignments loaded from the files. :type role_assignment_apis: ``list`` of :class:`UserRoleAssignmentFileFormatAPI` :return: Dictionary with created and removed role assignments for each user. :rtype: ``dict`` """ LOG.info('Synchronizing users role assignments...') user_dbs = User.get_all() username_to_user_db_map = dict([(user_db.name, user_db) for user_db in user_dbs]) username_to_role_assignment_api_map = dict([ (role_assignment_api.username, role_assignment_api) for role_assignment_api in role_assignment_apis ]) # Note: We process assignments for all the users (ones specified in the assignment files # and ones which are in the databse). We want to make sure assignments are correctly # deleted from the databse for users which existing in the databse, but have no assignment # file on disk. all_usernames = (username_to_user_db_map.keys() + username_to_role_assignment_api_map.keys()) all_usernames = list(set(all_usernames)) results = {} for username in all_usernames: role_assignment_api = username_to_role_assignment_api_map.get( username, None) user_db = username_to_user_db_map.get(username, None) if not user_db: # Note: We allow assignments to be created for the users which don't exist in the # DB yet because user creation in StackStorm is lazy (we only create UserDB) object # when user first logs in. user_db = UserDB(name=username) LOG.debug(( 'User "%s" doesn\'t exist in the DB, creating assignment anyway' % (username))) role_assignment_dbs = rbac_services.get_role_assignments_for_user( user_db=user_db, include_remote=False) result = self._sync_user_role_assignments( user_db=user_db, role_assignment_dbs=role_assignment_dbs, role_assignment_api=role_assignment_api) results[username] = result LOG.info('User role assignments synchronized') return results
def test_sync_success_no_existing_remote_assignments(self): syncer = RBACRemoteGroupToRoleSyncer() user_db = self.users['user_1'] # Create mock mapping which maps CN=stormers,OU=groups,DC=stackstorm,DC=net # to "mock_remote_role_3" and "mock_remote_role_4" create_group_to_role_map(group='CN=stormers,OU=groups,DC=stackstorm,DC=net', roles=['mock_remote_role_3', 'mock_remote_role_4'], source='mappings/stormers.yaml') # Verify initial state role_dbs = get_roles_for_user(user_db=user_db, include_remote=True) self.assertEqual(len(role_dbs), 2) self.assertEqual(role_dbs[0], self.roles['mock_local_role_1']) role_assignment_dbs = get_role_assignments_for_user(user_db=self.users['user_1']) groups = [ 'CN=stormers,OU=groups,DC=stackstorm,DC=net', 'CN=testers,OU=groups,DC=stackstorm,DC=net', # We repeat the same group to validate that repated groups are correctly de-duplicated 'CN=stormers,OU=groups,DC=stackstorm,DC=net', ] result = syncer.sync(user_db=self.users['user_1'], groups=groups) created_role_assignment_dbs = result[0] removed_role_assignment_dbs = result[1] self.assertEqual(len(created_role_assignment_dbs), 2) self.assertEqual(created_role_assignment_dbs[0].role, 'mock_remote_role_3') self.assertEqual(created_role_assignment_dbs[1].role, 'mock_remote_role_4') self.assertEqual(removed_role_assignment_dbs, []) # User should have two new roles assigned now role_dbs = get_roles_for_user(user_db=user_db, include_remote=True) self.assertEqual(len(role_dbs), 4) self.assertEqual(role_dbs[0], self.roles['mock_local_role_1']) self.assertEqual(role_dbs[1], self.roles['mock_local_role_2']) self.assertEqual(role_dbs[2], self.roles['mock_remote_role_3']) self.assertEqual(role_dbs[3], self.roles['mock_remote_role_4']) role_assignment_dbs = get_role_assignments_for_user(user_db=self.users['user_1']) self.assertEqual(len(role_assignment_dbs), 4) self.assertEqual(role_assignment_dbs[2].source, 'mappings/stormers.yaml') self.assertEqual(role_assignment_dbs[3].source, 'mappings/stormers.yaml')
def test_get_role_assignments_for_user(self): # Test a case where a document doesn't exist is_remote field and when it # does user_db = self.users['user_5'] role_assignment_dbs = rbac_services.get_role_assignments_for_user( user_db=user_db, include_remote=False) self.assertEqual(len(role_assignment_dbs), 3) self.assertEqual(role_assignment_dbs[0].role, 'role_1') self.assertEqual(role_assignment_dbs[1].role, 'role_2') self.assertEqual(role_assignment_dbs[2].role, 'role_3') self.assertEqual(role_assignment_dbs[0].is_remote, False) self.assertEqual(role_assignment_dbs[1].is_remote, False) self.assertEqual(role_assignment_dbs[2].is_remote, False) user_db = self.users['user_5'] role_assignment_dbs = rbac_services.get_role_assignments_for_user( user_db=user_db, include_remote=True) self.assertEqual(len(role_assignment_dbs), 4) self.assertEqual(role_assignment_dbs[3].role, 'role_4') self.assertEqual(role_assignment_dbs[3].is_remote, True)
def test_sync_user_assignments_multiple_sources_same_role_assignment(self): syncer = RBACDefinitionsDBSyncer() self._insert_mock_roles() # Initial state, no roles role_dbs = get_roles_for_user(user_db=self.users['user_2']) self.assertItemsEqual(role_dbs, []) # Do the sync with role defined in separate files assignment1 = UserRoleAssignmentFileFormatAPI( username='******', roles=['role_1'], file_path='assignments/user2a.yaml') assignment2 = UserRoleAssignmentFileFormatAPI( username='******', roles=['role_1'], file_path='assignments/user2b.yaml') syncer.sync_users_role_assignments(role_assignment_apis=[assignment1, assignment2]) role_dbs = get_roles_for_user(user_db=self.users['user_2']) self.assertEqual(len(role_dbs), 1) self.assertEqual(role_dbs[0], self.roles['role_1']) role_assignment_dbs = get_role_assignments_for_user(user_db=self.users['user_2']) self.assertEqual(len(role_assignment_dbs), 2) sources = [r.source for r in role_assignment_dbs] self.assertIn('assignments/user2a.yaml', sources) self.assertIn('assignments/user2b.yaml', sources) # Do another sync with one assignment file removed - only one assignment should be left syncer.sync_users_role_assignments(role_assignment_apis=[assignment2]) role_dbs = get_roles_for_user(user_db=self.users['user_2']) self.assertEqual(len(role_dbs), 1) self.assertEqual(role_dbs[0], self.roles['role_1']) role_assignment_dbs = get_role_assignments_for_user(user_db=self.users['user_2']) self.assertEqual(len(role_assignment_dbs), 1) sources = [r.source for r in role_assignment_dbs] self.assertIn('assignments/user2b.yaml', sources)
def sync_users_role_assignments(self, role_assignment_apis): """ Synchronize role assignments for all the users in the database. :param role_assignment_apis: Role assignments API objects for the assignments loaded from the files. :type role_assignment_apis: ``list`` of :class:`UserRoleAssignmentFileFormatAPI` :return: Dictionary with created and removed role assignments for each user. :rtype: ``dict`` """ LOG.info('Synchronizing users role assignments...') user_dbs = User.get_all() username_to_user_db_map = dict([(user_db.name, user_db) for user_db in user_dbs]) results = {} for role_assignment_api in role_assignment_apis: username = role_assignment_api.username user_db = username_to_user_db_map.get(username, None) if not user_db: # Note: We allow assignments to be created for the users which don't exist in the # DB yet because user creation in StackStorm is lazy (we only create UserDB) object # when user first logs in. user_db = UserDB(name=username) LOG.debug(( 'User "%s" doesn\'t exist in the DB, creating assignment anyway' % (username))) role_assignment_dbs = rbac_services.get_role_assignments_for_user( user_db=user_db) result = self._sync_user_role_assignments( user_db=user_db, role_assignment_dbs=role_assignment_dbs, role_assignment_api=role_assignment_api) results[username] = result LOG.info('User role assignments synchronized') return results
def test_sync_user_assignments_single_role_assignment(self): syncer = RBACDefinitionsDBSyncer() self._insert_mock_roles() # Initial state, no roles role_dbs = get_roles_for_user(user_db=self.users['user_1']) self.assertItemsEqual(role_dbs, []) # Do the sync with a single role defined api = UserRoleAssignmentFileFormatAPI(username='******', roles=['role_1'], file_path='assignments/user1.yaml') syncer.sync_users_role_assignments(role_assignment_apis=[api]) role_dbs = get_roles_for_user(user_db=self.users['user_1']) self.assertItemsEqual(role_dbs, [self.roles['role_1']]) role_assignment_dbs = get_role_assignments_for_user(user_db=self.users['user_1']) self.assertEqual(len(role_assignment_dbs), 1) self.assertEqual(role_assignment_dbs[0].source, 'assignments/user1.yaml')
def sync_users_role_assignments(self, role_assignment_apis): """ Synchronize role assignments for all the users in the database. :param role_assignment_apis: Role assignments API objects for the assignments loaded from the files. :type role_assignment_apis: ``list`` of :class:`UserRoleAssignmentFileFormatAPI` :return: Dictionary with created and removed role assignments for each user. :rtype: ``dict`` """ LOG.info('Synchronizing users role assignments...') user_dbs = User.get_all() username_to_user_db_map = dict([(user_db.name, user_db) for user_db in user_dbs]) results = {} for role_assignment_api in role_assignment_apis: username = role_assignment_api.username user_db = username_to_user_db_map.get(username, None) if not user_db: LOG.debug(( 'Skipping role assignments for user "%s" which doesn\'t exist in the ' 'database' % (username))) continue role_assignment_dbs = rbac_services.get_role_assignments_for_user( user_db=user_db) result = self._sync_user_role_assignments( user_db=user_db, role_assignment_dbs=role_assignment_dbs, role_assignment_api=role_assignment_api) results[username] = result LOG.info('User role assignments synchronized') return results
def sync_users_role_assignments(self, role_assignment_apis): """ Synchronize role assignments for all the users in the database. :param role_assignment_apis: Role assignments API objects for the assignments loaded from the files. :type role_assignment_apis: ``list`` of :class:`UserRoleAssignmentFileFormatAPI` :return: Dictionary with created and removed role assignments for each user. :rtype: ``dict`` """ LOG.info('Synchronizing users role assignments...') user_dbs = User.get_all() username_to_user_db_map = dict([(user_db.name, user_db) for user_db in user_dbs]) results = {} for role_assignment_api in role_assignment_apis: username = role_assignment_api.username user_db = username_to_user_db_map.get(username, None) if not user_db: # Note: We allow assignments to be created for the users which don't exist in the # DB yet because user creation in StackStorm is lazy (we only create UserDB) object # when user first logs in. user_db = UserDB(name=username) LOG.debug(('User "%s" doesn\'t exist in the DB, creating assignment anyway' % (username))) role_assignment_dbs = rbac_services.get_role_assignments_for_user(user_db=user_db) result = self._sync_user_role_assignments(user_db=user_db, role_assignment_dbs=role_assignment_dbs, role_assignment_api=role_assignment_api) results[username] = result LOG.info('User role assignments synchronized') return results
def test_sync_user_assignments_multiple_custom_roles_assignments(self): syncer = RBACDefinitionsDBSyncer() self._insert_mock_roles() # Initial state, no roles role_dbs = get_roles_for_user(user_db=self.users['user_2']) self.assertItemsEqual(role_dbs, []) # Do the sync with two roles defined api = UserRoleAssignmentFileFormatAPI(username='******', roles=['role_1', 'role_2'], file_path='assignments/user2.yaml') syncer.sync_users_role_assignments(role_assignment_apis=[api]) role_dbs = get_roles_for_user(user_db=self.users['user_2']) self.assertEqual(len(role_dbs), 2) self.assertEqual(role_dbs[0], self.roles['role_1']) self.assertEqual(role_dbs[1], self.roles['role_2']) role_assignment_dbs = get_role_assignments_for_user(user_db=self.users['user_2']) self.assertEqual(len(role_assignment_dbs), 2) self.assertEqual(role_assignment_dbs[0].source, 'assignments/user2.yaml') self.assertEqual(role_assignment_dbs[1].source, 'assignments/user2.yaml')
def test_sync_assignments_are_removed_user_doesnt_exist_in_db(self): # Make sure that the assignments for the users which don't exist in the db are correctly # removed syncer = RBACDefinitionsDBSyncer() self._insert_mock_roles() username = '******' # Initial state, no roles user_db = UserDB(name=username) self.assertEqual(len(User.query(name=username)), 0) role_dbs = get_roles_for_user(user_db=user_db) self.assertItemsEqual(role_dbs, []) # Do the sync with two roles defined api = UserRoleAssignmentFileFormatAPI(username=user_db.name, roles=['role_1', 'role_2'], file_path='assignments/%s.yaml' % user_db.name) syncer.sync_users_role_assignments(role_assignment_apis=[api]) role_dbs = get_roles_for_user(user_db=user_db) self.assertEqual(len(role_dbs), 2) self.assertEqual(role_dbs[0], self.roles['role_1']) self.assertEqual(role_dbs[1], self.roles['role_2']) # Sync with no roles on disk - existing roles should be removed syncer.sync_users_role_assignments(role_assignment_apis=[]) role_dbs = get_roles_for_user(user_db=user_db) self.assertEqual(len(role_dbs), 0) username = '******' # Initial state, no roles user_db = UserDB(name=username) self.assertEqual(len(User.query(name=username)), 0) role_dbs = get_roles_for_user(user_db=user_db) self.assertItemsEqual(role_dbs, []) # Do the sync with three roles defined api = UserRoleAssignmentFileFormatAPI( username=user_db.name, roles=['role_1', 'role_2', 'role_3'], file_path='assignments/%s.yaml' % user_db.name) syncer.sync_users_role_assignments(role_assignment_apis=[api]) role_dbs = get_roles_for_user(user_db=user_db) self.assertEqual(len(role_dbs), 3) self.assertEqual(role_dbs[0], self.roles['role_1']) self.assertEqual(role_dbs[1], self.roles['role_2']) self.assertEqual(role_dbs[2], self.roles['role_3']) role_assignment_dbs = get_role_assignments_for_user(user_db=user_db) self.assertEqual(len(role_assignment_dbs), 3) self.assertEqual(role_assignment_dbs[0].source, 'assignments/%s.yaml' % user_db.name) # Sync with one role on disk - two roles should be removed api = UserRoleAssignmentFileFormatAPI(username=user_db.name, roles=['role_3'], file_path='assignments/%s.yaml' % user_db.name) syncer.sync_users_role_assignments(role_assignment_apis=[api]) role_dbs = get_roles_for_user(user_db=user_db) self.assertEqual(len(role_dbs), 1) self.assertEqual(role_dbs[0], self.roles['role_3'])
def test_sync_assignments_are_removed_user_doesnt_exist_in_db(self): # Make sure that the assignments for the users which don't exist in the db are correctly # removed syncer = RBACDefinitionsDBSyncer() self._insert_mock_roles() username = '******' # Initial state, no roles user_db = UserDB(name=username) self.assertEqual(len(User.query(name=username)), 0) role_dbs = get_roles_for_user(user_db=user_db) self.assertItemsEqual(role_dbs, []) # Do the sync with two roles defined api = UserRoleAssignmentFileFormatAPI( username=user_db.name, roles=['role_1', 'role_2'], file_path='assignments/%s.yaml' % user_db.name) syncer.sync_users_role_assignments(role_assignment_apis=[api]) role_dbs = get_roles_for_user(user_db=user_db) self.assertEqual(len(role_dbs), 2) self.assertEqual(role_dbs[0], self.roles['role_1']) self.assertEqual(role_dbs[1], self.roles['role_2']) # Sync with no roles on disk - existing roles should be removed syncer.sync_users_role_assignments(role_assignment_apis=[]) role_dbs = get_roles_for_user(user_db=user_db) self.assertEqual(len(role_dbs), 0) username = '******' # Initial state, no roles user_db = UserDB(name=username) self.assertEqual(len(User.query(name=username)), 0) role_dbs = get_roles_for_user(user_db=user_db) self.assertItemsEqual(role_dbs, []) # Do the sync with three roles defined api = UserRoleAssignmentFileFormatAPI( username=user_db.name, roles=['role_1', 'role_2', 'role_3'], file_path='assignments/%s.yaml' % user_db.name) syncer.sync_users_role_assignments(role_assignment_apis=[api]) role_dbs = get_roles_for_user(user_db=user_db) self.assertEqual(len(role_dbs), 3) self.assertEqual(role_dbs[0], self.roles['role_1']) self.assertEqual(role_dbs[1], self.roles['role_2']) self.assertEqual(role_dbs[2], self.roles['role_3']) role_assignment_dbs = get_role_assignments_for_user(user_db=user_db) self.assertEqual(len(role_assignment_dbs), 3) self.assertEqual(role_assignment_dbs[0].source, 'assignments/%s.yaml' % user_db.name) # Sync with one role on disk - two roles should be removed api = UserRoleAssignmentFileFormatAPI( username=user_db.name, roles=['role_3'], file_path='assignments/%s.yaml' % user_db.name) syncer.sync_users_role_assignments(role_assignment_apis=[api]) role_dbs = get_roles_for_user(user_db=user_db) self.assertEqual(len(role_dbs), 1) self.assertEqual(role_dbs[0], self.roles['role_3'])