def test_group_logdump(session, tmpdir, users, groups): # noqa: F811
groupname = "team-sre"
group_id = groups[groupname].id
yesterday = date.today() - timedelta(days=1)
fn = tmpdir.join("out.csv").strpath
call_main(session, tmpdir, "group", "log_dump", groupname,
yesterday.isoformat(), "--outfile", fn)
with open(fn, "r") as fh:
out = fh.read()
assert not out, "nothing yet"
AuditLog.log(session,
users["*****@*****.**"].id,
"make_noise",
"making some noise",
on_group_id=group_id)
session.commit()
call_main(session, tmpdir, "group", "log_dump", groupname,
yesterday.isoformat(), "--outfile", fn)
with open(fn, "r") as fh:
entries = [x for x in csv.reader(fh)]
assert len(entries) == 1, "should capture our new audit log entry"
log_time, actor, description, action, extra = entries[0]
assert groupname in extra
def test_group_add_remove_owner(
make_session,
get_plugin_proxy,
session,
users,
groups # noqa: F811
):
make_session.return_value = session
get_plugin_proxy.return_value = PluginProxy([GroupOwnershipPolicyPlugin()])
username = "******"
groupname = "team-sre"
# add
assert (u"User", username) not in groups[groupname].my_members()
call_main(session, "group", "add_member", "--owner", groupname, username)
all_members = Group.get(session, name=groupname).my_members()
assert (u"User", username) in all_members
_, _, _, role, _, _ = all_members[(u"User", username)]
assert GROUP_EDGE_ROLES[role] == "owner"
# remove (fails)
call_main(session, "group", "remove_member", groupname, username)
assert (u"User", username) in Group.get(session,
name=groupname).my_members()
def test_sync_db_default_group(
mock_get_auditors_group_name,
make_session,
session,
users,
groups # noqa: F811
):
make_session.return_value = session
auditors_group = Group.get(session, name="my-auditors")
assert not auditors_group, "Auditors group should not exist yet"
call_main(session, "sync_db")
admin_group = Group.get(session, name="grouper-administrators")
assert admin_group, "Group should have been autocreated"
admin_group_permission_names = [
perm[1] for perm in admin_group.my_permissions()
]
for permission in (GROUP_ADMIN, PERMISSION_ADMIN, USER_ADMIN):
assert permission in admin_group_permission_names, (
"Expected permission missing: %s" % permission)
auditors_group = Group.get(session, name="my-auditors")
assert auditors_group, "Auditors group should have been autocreated"
auditors_group_permission_names = [
perm[1] for perm in auditors_group.my_permissions()
]
assert PERMISSION_AUDITOR in auditors_group_permission_names, (
"Expected permission missing: %s" % PERMISSION_AUDITOR)
def test_group_logdump(session, tmpdir, users, groups): # noqa: F811
groupname = "team-sre"
group_id = groups[groupname].id
yesterday = date.today() - timedelta(days=1)
fn = tmpdir.join("out.csv").strpath
call_main(
session, tmpdir, "group", "log_dump", groupname, yesterday.isoformat(), "--outfile", fn
)
with open(fn, "r") as fh:
out = fh.read()
assert not out, "nothing yet"
AuditLog.log(
session, users["*****@*****.**"].id, "make_noise", "making some noise", on_group_id=group_id
)
session.commit()
call_main(
session, tmpdir, "group", "log_dump", groupname, yesterday.isoformat(), "--outfile", fn
)
with open(fn, "r") as fh:
entries = [x for x in csv.reader(fh)]
assert len(entries) == 1, "should capture our new audit log entry"
log_time, actor, description, action, extra = entries[0]
assert groupname in extra
def test_group_name_checks(session, tmpdir, users, groups): # noqa: F811
username = "******"
groupname = "team-sre"
# check user/group name
call_main(session, tmpdir, "group", "add_member", "--member", "invalid group name", username)
assert (u"User", username) not in Group.get(session, name=groupname).my_members()
bad_username = "******"
call_main(session, tmpdir, "group", "add_member", "--member", groupname, bad_username)
assert (u"User", bad_username) not in Group.get(session, name=groupname).my_members()
def test_group_name_checks(make_session, session, users, groups): # noqa: F811
make_session.return_value = session
username = "******"
groupname = "team-sre"
# check user/group name
call_main(session, "group", "add_member", "--member", "invalid group name", username)
assert (u"User", username) not in Group.get(session, name=groupname).my_members()
bad_username = "******"
call_main(session, "group", "add_member", "--member", groupname, bad_username)
assert (u"User", bad_username) not in Group.get(session, name=groupname).my_members()
def test_group_bulk_add_remove(session, tmpdir, users, groups): # noqa: F811
groupname = "team-sre"
# bulk add
usernames = {"*****@*****.**", "*****@*****.**", "*****@*****.**"}
call_main(session, tmpdir, "group", "add_member", "--member", groupname, *usernames)
members = {u for _, u in Group.get(session, name=groupname).my_members()}
assert usernames.issubset(members)
# bulk remove
call_main(session, tmpdir, "group", "remove_member", groupname, *usernames)
members = {u for _, u in Group.get(session, name=groupname).my_members()}
assert not members.intersection(usernames)
def test_group_disable_group_owner(get_plugin_proxy, session, tmpdir, users, groups): # noqa: F811
get_plugin_proxy.return_value = PluginProxy([GroupOwnershipPolicyPlugin()])
username = "******"
groupname = "team-sre"
# add
call_main(session, tmpdir, "group", "add_member", "--owner", groupname, username)
assert (u"User", username) in Group.get(session, name=groupname).my_members()
# disable (fails)
call_main(session, tmpdir, "user", "disable", username)
assert (u"User", username) in Group.get(session, name=groupname).my_members()
def test_user_create(make_session, session, users): # noqa: F811
make_session.return_value = session
# simple
username = "******"
call_main(session, "user", "create", username)
assert User.get(session,
name=username), "non-existent user should be created"
# check username
bad_username = "******"
call_main(session, "user", "create", bad_username)
assert not User.get(session,
name=bad_username), "bad user should not be created"
# bulk
usernames = ["*****@*****.**", "*****@*****.**", "*****@*****.**"]
call_main(session, "user", "create", *usernames)
users = [User.get(session, name=u) for u in usernames]
assert all(users), "all users created"
usernames_with_one_bad = ["*****@*****.**", "*****@*****.**", "not_valid_user"]
call_main(session, "user", "create", *usernames_with_one_bad)
users = [User.get(session, name=u) for u in usernames_with_one_bad]
assert not any(users), "one bad seed means no users created"
def test_group_bulk_add_remove(session, tmpdir, users, groups): # noqa: F811
groupname = "team-sre"
# bulk add
usernames = {"*****@*****.**", "*****@*****.**", "*****@*****.**"}
call_main(session, tmpdir, "group", "add_member", "--member", groupname,
*usernames)
members = {u for _, u in Group.get(session, name=groupname).my_members()}
assert usernames.issubset(members)
# bulk remove
call_main(session, tmpdir, "group", "remove_member", groupname, *usernames)
members = {u for _, u in Group.get(session, name=groupname).my_members()}
assert not members.intersection(usernames)
def test_group_add_remove_member(session, tmpdir, users, groups): # noqa: F811
username = "******"
groupname = "team-sre"
# add
assert (u"User", username) not in groups[groupname].my_members()
call_main(session, tmpdir, "group", "add_member", "--member", groupname, username)
all_members = Group.get(session, name=groupname).my_members()
assert (u"User", username) in all_members
_, _, _, role, _, _ = all_members[(u"User", username)]
assert GROUP_EDGE_ROLES[role] == "member"
# remove
call_main(session, tmpdir, "group", "remove_member", groupname, username)
assert (u"User", username) not in Group.get(session, name=groupname).my_members()
def test_oneoff(mock_load_plugins, session, tmpdir): # noqa: F811
username = "******"
other_username = "******"
groupname = "fake_group"
class FakeOneOff:
def configure(self, service_name):
pass
def run(self, session, **kwargs):
if kwargs.get("group"):
Group.get_or_create(session, groupname=groupname)
session.commit()
elif kwargs.get("key") == "valuewith=":
User.get_or_create(session, username=other_username)
session.commit()
else:
User.get_or_create(session, username=username)
session.commit()
mock_load_plugins.return_value = [FakeOneOff()]
# dry_run
call_main(session, tmpdir, "oneoff", "run", "FakeOneOff")
assert User.get(session, name=username) is None, "default dry_run means no writes"
assert User.get(session, name=other_username) is None, '"valuewith= not in arg'
assert Group.get(session, name=groupname) is None, '"group" not in arg so no group created'
# not dry_run, create a user
call_main(session, tmpdir, "oneoff", "run", "--no-dry_run", "FakeOneOff")
assert User.get(session, name=username) is not None, "dry_run off means writes"
assert User.get(session, name=other_username) is None, '"valuewith= not in arg'
assert Group.get(session, name=groupname) is None, '"group" not in arg so no group created'
# not dry_run, use kwarg to create a group
call_main(session, tmpdir, "oneoff", "run", "--no-dry_run", "FakeOneOff", "group=1")
assert User.get(session, name=username) is not None, "dry_run off means writes"
assert User.get(session, name=other_username) is None, '"valuewith= not in arg'
assert Group.get(session, name=groupname) is not None, '"group" in arg so group created'
# invalid format for argument should result in premature system exit
with pytest.raises(SystemExit):
call_main(session, tmpdir, "oneoff", "run", "--no-dry_run", "FakeOneOff", "bad_arg")
call_main(session, tmpdir, "oneoff", "run", "--no-dry_run", "FakeOneOff", "key=valuewith=")
assert User.get(session, name=other_username) is not None, '"valuewith= in arg, create user2'
def test_group_add_remove_owner(get_plugin_proxy, session, tmpdir, users, groups): # noqa: F811
get_plugin_proxy.return_value = PluginProxy([GroupOwnershipPolicyPlugin()])
username = "******"
groupname = "team-sre"
# add
assert (u"User", username) not in groups[groupname].my_members()
call_main(session, tmpdir, "group", "add_member", "--owner", groupname, username)
all_members = Group.get(session, name=groupname).my_members()
assert (u"User", username) in all_members
_, _, _, role, _, _ = all_members[(u"User", username)]
assert GROUP_EDGE_ROLES[role] == "owner"
# remove (fails)
call_main(session, tmpdir, "group", "remove_member", groupname, username)
assert (u"User", username) in Group.get(session, name=groupname).my_members()
def test_oneoff(mock_load_plugins, session, tmpdir): # noqa: F811
username = "******"
other_username = "******"
groupname = "fake_group"
class FakeOneOff(object):
def configure(self, service_name):
pass
def run(self, session, **kwargs):
if kwargs.get("group"):
Group.get_or_create(session, groupname=groupname)
session.commit()
elif kwargs.get("key") == "valuewith=":
User.get_or_create(session, username=other_username)
session.commit()
else:
User.get_or_create(session, username=username)
session.commit()
mock_load_plugins.return_value = [FakeOneOff()]
# dry_run
call_main(session, tmpdir, "oneoff", "run", "FakeOneOff")
assert User.get(session, name=username) is None, "default dry_run means no writes"
assert User.get(session, name=other_username) is None, '"valuewith= not in arg'
assert Group.get(session, name=groupname) is None, '"group" not in arg so no group created'
# not dry_run, create a user
call_main(session, tmpdir, "oneoff", "run", "--no-dry_run", "FakeOneOff")
assert User.get(session, name=username) is not None, "dry_run off means writes"
assert User.get(session, name=other_username) is None, '"valuewith= not in arg'
assert Group.get(session, name=groupname) is None, '"group" not in arg so no group created'
# not dry_run, use kwarg to create a group
call_main(session, tmpdir, "oneoff", "run", "--no-dry_run", "FakeOneOff", "group=1")
assert User.get(session, name=username) is not None, "dry_run off means writes"
assert User.get(session, name=other_username) is None, '"valuewith= not in arg'
assert Group.get(session, name=groupname) is not None, '"group" in arg so group created'
# invalid format for argument should result in premature system exit
with pytest.raises(SystemExit):
call_main(session, tmpdir, "oneoff", "run", "--no-dry_run", "FakeOneOff", "bad_arg")
call_main(session, tmpdir, "oneoff", "run", "--no-dry_run", "FakeOneOff", "key=valuewith=")
assert User.get(session, name=other_username) is not None, '"valuewith= in arg, create user2'
def test_group_disable_group_owner(get_plugin_proxy, session, tmpdir, users,
groups): # noqa: F811
get_plugin_proxy.return_value = PluginProxy([GroupOwnershipPolicyPlugin()])
username = "******"
groupname = "team-sre"
# add
call_main(session, tmpdir, "group", "add_member", "--owner", groupname,
username)
assert (u"User", username) in Group.get(session,
name=groupname).my_members()
# disable (fails)
call_main(session, tmpdir, "user", "disable", username)
assert (u"User", username) in Group.get(session,
name=groupname).my_members()
def test_group_add_remove_member(session, tmpdir, users, groups): # noqa: F811
username = "******"
groupname = "team-sre"
# add
assert ("User", username) not in groups[groupname].my_members()
call_main(session, tmpdir, "group", "add_member", "--member", groupname,
username)
all_members = Group.get(session, name=groupname).my_members()
assert ("User", username) in all_members
_, _, _, role, _, _ = all_members[("User", username)]
assert GROUP_EDGE_ROLES[role] == "member"
# remove
call_main(session, tmpdir, "group", "remove_member", groupname, username)
assert ("User", username) not in Group.get(session,
name=groupname).my_members()
def test_user_public_key(make_session, session, users): # noqa: F811
make_session.return_value = session
# good key
username = "******"
call_main(session, "user", "add_public_key", username, SSH_KEY_1)
user = User.get(session, name=username)
keys = get_public_keys_of_user(session, user.id)
assert len(keys) == 1
assert keys[0].public_key == SSH_KEY_1
# duplicate key
call_main(session, "user", "add_public_key", username, SSH_KEY_1)
keys = get_public_keys_of_user(session, user.id)
assert len(keys) == 1
assert keys[0].public_key == SSH_KEY_1
# bad key
call_main(session, "user", "add_public_key", username, SSH_KEY_BAD)
keys = get_public_keys_of_user(session, user.id)
assert len(keys) == 1
assert keys[0].public_key == SSH_KEY_1
def test_user_create(session, tmpdir, users): # noqa: F811
# simple
username = "******"
call_main(session, tmpdir, "user", "create", username)
assert User.get(session, name=username), "non-existent user should be created"
# check username
bad_username = "******"
call_main(session, tmpdir, "user", "create", bad_username)
assert not User.get(session, name=bad_username), "bad user should not be created"
# bulk
usernames = ["*****@*****.**", "*****@*****.**", "*****@*****.**"]
call_main(session, tmpdir, "user", "create", *usernames)
users = [User.get(session, name=u) for u in usernames]
assert all(users), "all users created"
usernames_with_one_bad = ["*****@*****.**", "*****@*****.**", "not_valid_user"]
call_main(session, tmpdir, "user", "create", *usernames_with_one_bad)
users = [User.get(session, name=u) for u in usernames_with_one_bad]
assert not any(users), "one bad seed means no users created"
def test_user_public_key(session, tmpdir, users): # noqa: F811
# good key
username = "******"
call_main(session, tmpdir, "user", "add_public_key", username, SSH_KEY_1)
user = User.get(session, name=username)
keys = get_public_keys_of_user(session, user.id)
assert len(keys) == 1
assert keys[0].public_key == SSH_KEY_1
# duplicate key
call_main(session, tmpdir, "user", "add_public_key", username, SSH_KEY_1)
keys = get_public_keys_of_user(session, user.id)
assert len(keys) == 1
assert keys[0].public_key == SSH_KEY_1
# bad key
call_main(session, tmpdir, "user", "add_public_key", username, SSH_KEY_BAD)
keys = get_public_keys_of_user(session, user.id)
assert len(keys) == 1
assert keys[0].public_key == SSH_KEY_1
def test_user_status_changes(
make_user_session,
make_group_session,
session,
users,
groups # noqa: F811
):
make_user_session.return_value = session
make_group_session.return_value = session
username = "******"
groupname = "team-sre"
# add user to a group
call_main(session, "group", "add_member", "--member", groupname, username)
# disable the account
call_main(session, "user", "disable", username)
assert not User.get(session, name=username).enabled
# double disabling is a no-op
call_main(session, "user", "disable", username)
assert not User.get(session, name=username).enabled
# re-enable the account, preserving memberships
call_main(session, "user", "enable", "--preserve-membership", username)
assert User.get(session, name=username).enabled
assert (u"User", username) in groups[groupname].my_members()
# enabling an active account is a no-op
call_main(session, "user", "enable", username)
assert User.get(session, name=username).enabled
# disable and re-enable without the --preserve-membership flag
call_main(session, "user", "disable", username)
call_main(session, "user", "enable", username)
assert User.get(session, name=username).enabled
assert (u"User", username) not in groups[groupname].my_members()
def test_user_status_changes(session, tmpdir, users, groups): # noqa: F811
username = "******"
groupname = "team-sre"
# add user to a group
call_main(session, tmpdir, "group", "add_member", "--member", groupname, username)
# disable the account
call_main(session, tmpdir, "user", "disable", username)
assert not User.get(session, name=username).enabled
# double disabling is a no-op
call_main(session, tmpdir, "user", "disable", username)
assert not User.get(session, name=username).enabled
# re-enable the account, preserving memberships
call_main(session, tmpdir, "user", "enable", "--preserve-membership", username)
assert User.get(session, name=username).enabled
assert (u"User", username) in groups[groupname].my_members()
# enabling an active account is a no-op
call_main(session, tmpdir, "user", "enable", username)
assert User.get(session, name=username).enabled
# disable and re-enable without the --preserve-membership flag
call_main(session, tmpdir, "user", "disable", username)
call_main(session, tmpdir, "user", "enable", username)
assert User.get(session, name=username).enabled
assert (u"User", username) not in groups[groupname].my_members()
def test_service_account_create(
make_session, groups, service_accounts, session, users # noqa: F811
):
make_session.return_value = session
machine_set = "foo +bar -(org)"
description = "this is a service account.\n\n it is for testing"
security_team_group = Group.get(session, name="security-team")
good_actor_username = "******"
good_service_account_name = "*****@*****.**"
assert ServiceAccount.get(session, name=good_service_account_name) is None
assert get_service_accounts(session, security_team_group) == []
# no-op if non-existing actor
call_main(
session,
"service_account",
"--actor",
"*****@*****.**",
"create",
good_service_account_name,
security_team_group.groupname,
machine_set,
description,
)
# ... or if bad account name
call_main(
session,
"service_account",
"--actor",
good_actor_username,
"create",
"bad-service-account-name",
security_team_group.groupname,
machine_set,
description,
)
# ... or non-existing owner group
call_main(
session,
"service_account",
"--actor",
good_actor_username,
"create",
good_service_account_name,
"non-such-owner-group",
machine_set,
description,
)
# make sure no change was made
assert ServiceAccount.get(session, name=good_service_account_name) is None
assert get_service_accounts(session, security_team_group) == []
# now it works
call_main(
session,
"service_account",
"--actor",
good_actor_username,
"create",
good_service_account_name,
security_team_group.groupname,
machine_set,
description,
)
service_account = ServiceAccount.get(session, name=good_service_account_name)
assert service_account, "non-existing account should be created"
assert service_account.user.name == good_service_account_name
assert service_account.machine_set == machine_set
assert service_account.description == description
assert get_service_accounts(session, security_team_group) == [service_account]
# no-op if account name already exists
call_main(
session,
"service_account",
"--actor",
good_actor_username,
"create",
good_service_account_name,
security_team_group.groupname,
machine_set,
description,
)
service_account = ServiceAccount.get(session, name=good_service_account_name)
assert service_account, "non-account should be created"
assert service_account.user.name == good_service_account_name
assert service_account.machine_set == machine_set
assert service_account.description == description
assert get_service_accounts(session, security_team_group) == [service_account]
# actor can be a service account as well
call_main(
session,
"service_account",
"--actor",
"*****@*****.**",
"create",
"*****@*****.**",
security_team_group.groupname,
machine_set + "2",
description + "2",
)
service_account_2 = ServiceAccount.get(session, name="*****@*****.**")
assert service_account_2, "non-existing account should be created"
assert service_account_2.user.name == "*****@*****.**"
assert service_account_2.machine_set == (machine_set + "2")
assert service_account_2.description == (description + "2")
assert set(get_service_accounts(session, security_team_group)) == set(
[service_account, service_account_2]
)
def test_service_account_create(groups, service_accounts, session, tmpdir, users): # noqa: F811
machine_set = "foo +bar -(org)"
description = "this is a service account.\n\n it is for testing"
security_team_group = Group.get(session, name="security-team")
good_actor_username = "******"
good_service_account_name = "*****@*****.**"
assert ServiceAccount.get(session, name=good_service_account_name) is None
assert get_service_accounts(session, security_team_group) == []
# no-op if non-existing actor
call_main(
session,
tmpdir,
"service_account",
"--actor",
"*****@*****.**",
"create",
good_service_account_name,
security_team_group.groupname,
machine_set,
description,
)
# ... or if bad account name
call_main(
session,
tmpdir,
"service_account",
"--actor",
good_actor_username,
"create",
"bad-service-account-name",
security_team_group.groupname,
machine_set,
description,
)
# ... or non-existing owner group
call_main(
session,
tmpdir,
"service_account",
"--actor",
good_actor_username,
"create",
good_service_account_name,
"non-such-owner-group",
machine_set,
description,
)
# make sure no change was made
assert ServiceAccount.get(session, name=good_service_account_name) is None
assert get_service_accounts(session, security_team_group) == []
# now it works
call_main(
session,
tmpdir,
"service_account",
"--actor",
good_actor_username,
"create",
good_service_account_name,
security_team_group.groupname,
machine_set,
description,
)
service_account = ServiceAccount.get(session, name=good_service_account_name)
assert service_account, "non-existing account should be created"
assert service_account.user.name == good_service_account_name
assert service_account.machine_set == machine_set
assert service_account.description == description
assert get_service_accounts(session, security_team_group) == [service_account]
# no-op if account name already exists
call_main(
session,
tmpdir,
"service_account",
"--actor",
good_actor_username,
"create",
good_service_account_name,
security_team_group.groupname,
machine_set,
description,
)
service_account = ServiceAccount.get(session, name=good_service_account_name)
assert service_account, "non-account should be created"
assert service_account.user.name == good_service_account_name
assert service_account.machine_set == machine_set
assert service_account.description == description
assert get_service_accounts(session, security_team_group) == [service_account]
# actor can be a service account as well
call_main(
session,
tmpdir,
"service_account",
"--actor",
"*****@*****.**",
"create",
"*****@*****.**",
security_team_group.groupname,
machine_set + "2",
description + "2",
)
service_account_2 = ServiceAccount.get(session, name="*****@*****.**")
assert service_account_2, "non-existing account should be created"
assert service_account_2.user.name == "*****@*****.**"
assert service_account_2.machine_set == (machine_set + "2")
assert service_account_2.description == (description + "2")
assert set(get_service_accounts(session, security_team_group)) == set(
[service_account, service_account_2]
)
