def test_service_account_fe_perms(
session,
standard_graph,
graph,
http_client,
base_url # noqa: F811
):
admin = "*****@*****.**"
owner = "*****@*****.**"
plebe = "*****@*****.**"
# Unrelated people cannot create a service account
fe_url = url(base_url, "/groups/team-sre/service/create")
with pytest.raises(HTTPError):
yield http_client.fetch(
fe_url,
method="POST",
headers={"X-Grouper-User": plebe},
body=urlencode({
"name": "service_account",
"description": "*",
"machine_set": "*"
}),
)
# But group members can create service accounts
resp = yield http_client.fetch(
fe_url,
method="POST",
headers={"X-Grouper-User": owner},
body=urlencode({
"name": "service_account",
"description": "*",
"machine_set": "*"
}),
)
assert resp.code == 200
# Unrelated people cannot grant a permission.
fe_url = url(base_url, "/groups/team-sre/service/[email protected]/grant")
with pytest.raises(HTTPError):
yield http_client.fetch(
fe_url,
method="POST",
headers={"X-Grouper-User": plebe},
body=urlencode({
"permission": "team-sre",
"argument": "*"
}),
)
# Even group owners cannot grant an unrelated permission.
resp = yield http_client.fetch(
fe_url,
method="POST",
headers={"X-Grouper-User": owner},
body=urlencode({
"permission": "other-perm",
"argument": "*"
}),
)
assert resp.code == 200
graph.update_from_db(session)
metadata = graph.get_user_details("*****@*****.**")
assert metadata["permissions"] == []
# Group owners can delegate a team permission.
resp = yield http_client.fetch(
fe_url,
method="POST",
headers={"X-Grouper-User": owner},
body=urlencode({
"permission": "team-sre",
"argument": "*"
}),
)
assert resp.code == 200
# Global user admins still cannot grant an unrelated permission.
resp = yield http_client.fetch(
fe_url,
method="POST",
headers={"X-Grouper-User": admin},
body=urlencode({
"permission": "other-perm",
"argument": "*"
}),
)
assert resp.code == 200
graph.update_from_db(session)
metadata = graph.get_user_details("*****@*****.**")
assert len(metadata["permissions"]) == 1
# But can delegate a team permission.
resp = yield http_client.fetch(
fe_url,
method="POST",
headers={"X-Grouper-User": admin},
body=urlencode({
"permission": "ssh",
"argument": "*"
}),
)
assert resp.code == 200
# Check that the permissions are reflected in the graph.
graph.update_from_db(session)
metadata = graph.get_user_details("*****@*****.**")
perms = [(p["permission"], p["argument"]) for p in metadata["permissions"]]
assert sorted(perms) == [("ssh", "*"), ("team-sre", "*")]
# Find the mapping IDs of the two permissions.
service_account = ServiceAccount.get(session, name="*****@*****.**")
perms = service_account_permissions(session, service_account)
# Unrelated people cannot revoke a permission.
fe_url = url(
base_url, "/groups/team-sre/service/[email protected]/revoke/{}".format(
perms[0].mapping_id))
with pytest.raises(HTTPError):
yield http_client.fetch(fe_url,
method="POST",
headers={"X-Grouper-User": plebe},
body=urlencode({}))
# But the group owner and a global admin can.
resp = yield http_client.fetch(fe_url,
method="POST",
headers={"X-Grouper-User": admin},
body=urlencode({}))
assert resp.code == 200
fe_url = url(
base_url, "/groups/team-sre/service/[email protected]/revoke/{}".format(
perms[1].mapping_id))
resp = yield http_client.fetch(fe_url,
method="POST",
headers={"X-Grouper-User": owner},
body=urlencode({}))
assert resp.code == 200
# This should have removed all the permissions.
graph.update_from_db(session)
metadata = graph.get_user_details("*****@*****.**")
assert metadata["permissions"] == []
def test_service_accounts(
session,
standard_graph,
graph,
users,
groups,
permissions # noqa: F811
):
# Create a service account.
service_account = ServiceAccount.get(session, name="*****@*****.**")
assert service_account.description == "some service account"
assert service_account.machine_set == "some machines"
assert service_account.user.name == "*****@*****.**"
assert service_account.user.enabled == True
assert service_account.user.is_service_account == True
accounts = get_service_accounts(session, groups["team-sre"])
assert len(accounts) == 1
assert accounts[0].user.name == "*****@*****.**"
assert is_service_account(session, service_account.user)
# Duplicates should raise an exception.
with pytest.raises(DuplicateServiceAccount):
create_service_account(session, users["*****@*****.**"], "*****@*****.**",
"dup", "dup", groups["team-sre"])
# zorkian should be able to manage the account, as should gary, but oliver (not a member of the
# group) should not.
assert can_manage_service_account(session, service_account,
users["*****@*****.**"])
assert can_manage_service_account(session, service_account,
users["*****@*****.**"])
assert not can_manage_service_account(session, service_account,
users["*****@*****.**"])
# Check that the user appears in the graph.
graph.update_from_db(session)
metadata = graph.user_metadata["*****@*****.**"]
assert metadata["enabled"]
assert metadata["service_account"]["description"] == "some service account"
assert metadata["service_account"]["machine_set"] == "some machines"
assert metadata["service_account"]["owner"] == "team-sre"
group_details = graph.get_group_details("team-sre")
assert group_details["service_accounts"] == ["*****@*****.**"]
# Grant a permission to the service account and check it in the graph.
grant_permission_to_service_account(session, service_account,
permissions["team-sre"], "*")
graph.update_from_db(session)
user_details = graph.get_user_details("*****@*****.**")
assert user_details["permissions"][0]["permission"] == "team-sre"
assert user_details["permissions"][0]["argument"] == "*"
# Diabling the service account should remove the link to the group.
disable_service_account(session, users["*****@*****.**"], service_account)
assert service_account.user.enabled == False
assert get_service_accounts(session, groups["team-sre"]) == []
# The user should also be gone from the graph and have its permissions removed.
graph.update_from_db(session)
group_details = graph.get_group_details("team-sre")
assert "service_accounts" not in group_details
metadata = graph.user_metadata["*****@*****.**"]
assert not metadata["enabled"]
assert "owner" not in metadata["service_account"]
user_details = graph.get_user_details("*****@*****.**")
assert user_details["permissions"] == []
# We can re-enable and attach to a different group.
new_group = groups["security-team"]
enable_service_account(session, users["*****@*****.**"], service_account,
new_group)
assert service_account.user.enabled == True
assert get_service_accounts(session, groups["team-sre"]) == []
accounts = get_service_accounts(session, new_group)
assert len(accounts) == 1
assert accounts[0].user.name == "*****@*****.**"
# Check that this is reflected in the graph and the user has no permissions.
graph.update_from_db(session)
group_details = graph.get_group_details("security-team")
assert group_details["service_accounts"] == ["*****@*****.**"]
metadata = graph.user_metadata["*****@*****.**"]
assert metadata["service_account"]["owner"] == "security-team"
user_details = graph.get_user_details("*****@*****.**")
assert user_details["permissions"] == []
def test_exclude_disabled_permissions(
session, standard_graph, graph, users, groups, permissions # noqa: F811
):
"""
Ensure that disabled permissions are excluded from various
functions/methods that return data from the models.
"""
perm_ssh = get_permission(session, "ssh")
perm_grant = create_permission(session, PERMISSION_GRANT)
session.commit()
# this user has grouper.permission.grant with argument "ssh/*"
grant_permission(groups["group-admins"], perm_grant, argument="ssh/*")
graph.update_from_db(session)
grant_perms = [
x for x in user_permissions(session, users["*****@*****.**"]) if x.name == PERMISSION_GRANT
]
assert "ssh" == filter_grantable_permissions(session, grant_perms)[0][0].name
assert "ssh" in (p.name for p in get_all_permissions(session))
assert "ssh" in (p.name for p in get_all_permissions(session, include_disabled=False))
assert "ssh" in (p.name for p in get_all_permissions(session, include_disabled=True))
assert "ssh" in get_grantable_permissions(session, [])
assert "team-sre" in [g[0] for g in get_groups_by_permission(session, perm_ssh)]
assert get_owner_arg_list(session, perm_ssh, "*")
assert "ssh" in get_owners_by_grantable_permission(session)
assert "ssh" in (x[0].name for x in user_grantable_permissions(session, users["*****@*****.**"]))
assert user_has_permission(session, users["*****@*****.**"], "ssh")
assert "ssh" in (p.name for p in user_permissions(session, users["*****@*****.**"]))
assert "ssh" in (p["permission"] for p in graph.get_group_details("team-sre")["permissions"])
assert "ssh" in (pt.name for pt in graph.get_permissions())
assert "team-sre" in graph.get_permission_details("ssh")["groups"]
assert "ssh" in (p["permission"] for p in graph.get_user_details("*****@*****.**")["permissions"])
# now disable the ssh permission
disable_permission(session, "ssh", users["*****@*****.**"].id)
graph.update_from_db(session)
grant_perms = [
x for x in user_permissions(session, users["*****@*****.**"]) if x.name == PERMISSION_GRANT
]
assert not filter_grantable_permissions(session, grant_perms)
assert "ssh" not in (p.name for p in get_all_permissions(session))
assert "ssh" not in (p.name for p in get_all_permissions(session, include_disabled=False))
assert "ssh" in (p.name for p in get_all_permissions(session, include_disabled=True))
assert "ssh" not in get_grantable_permissions(session, [])
assert not get_groups_by_permission(session, perm_ssh)
assert not get_owner_arg_list(session, perm_ssh, "*")
assert "ssh" not in get_owners_by_grantable_permission(session)
assert "ssh" not in (
x[0].name for x in user_grantable_permissions(session, users["*****@*****.**"])
)
assert not user_has_permission(session, users["*****@*****.**"], "ssh")
assert "ssh" not in (p.name for p in user_permissions(session, users["*****@*****.**"]))
assert "ssh" not in (
p["permission"] for p in graph.get_group_details("team-sre")["permissions"]
)
assert "ssh" not in (pt.name for pt in graph.get_permissions())
assert not graph.get_permission_details("ssh")["groups"]
assert "ssh" not in (
p["permission"] for p in graph.get_user_details("*****@*****.**")["permissions"]
)