def test_basic_permission(
standard_graph,
graph,
session,
users,
groups,
permissions # noqa: F811
):
""" Test adding some permissions to various groups and ensuring that the permissions are all
implemented as expected. This also tests permissions inheritance in the graph. """
assert sorted(get_group_permissions(graph, "team-sre")) == [
"audited:",
"ssh:*",
"sudo:shell",
"team-sre:*",
]
assert sorted(get_group_permissions(graph, "tech-ops")) == [
"audited:",
"ssh:shell",
"sudo:shell",
]
assert sorted(get_group_permissions(graph, "team-infra")) == ["sudo:shell"]
assert sorted(get_group_permissions(graph, "all-teams")) == []
assert sorted(get_user_permissions(graph, "*****@*****.**")) == [
"audited:",
PERMISSION_ADMIN + ":",
"ssh:*",
"ssh:shell",
"sudo:shell",
"team-sre:*",
]
assert sorted(get_user_permissions(graph, "*****@*****.**")) == [
"audited:",
"ssh:*",
"ssh:shell",
"sudo:shell",
"team-sre:*",
]
assert sorted(get_user_permissions(graph, "*****@*****.**")) == [
"audited:",
AUDIT_MANAGER + ":",
AUDIT_VIEWER + ":",
PERMISSION_AUDITOR + ":",
"owner:sad-team",
"ssh:*",
"sudo:shell",
"team-sre:*",
]
assert sorted(get_user_permissions(graph, "*****@*****.**")) == []
assert sorted(get_user_permissions(graph,
"*****@*****.**")) == ["sudo:shell"]
def test_basic_permission(
standard_graph, graph, session, users, groups, permissions # noqa: F811
):
""" Test adding some permissions to various groups and ensuring that the permissions are all
implemented as expected. This also tests permissions inheritance in the graph. """
assert sorted(get_group_permissions(graph, "team-sre")) == [
"audited:",
"ssh:*",
"sudo:shell",
"team-sre:*",
]
assert sorted(get_group_permissions(graph, "tech-ops")) == [
"audited:",
"ssh:shell",
"sudo:shell",
]
assert sorted(get_group_permissions(graph, "team-infra")) == ["sudo:shell"]
assert sorted(get_group_permissions(graph, "all-teams")) == []
assert sorted(get_user_permissions(graph, "*****@*****.**")) == [
"audited:",
PERMISSION_ADMIN + ":",
"ssh:*",
"ssh:shell",
"sudo:shell",
"team-sre:*",
]
assert sorted(get_user_permissions(graph, "*****@*****.**")) == [
"audited:",
"ssh:*",
"ssh:shell",
"sudo:shell",
"team-sre:*",
]
assert sorted(get_user_permissions(graph, "*****@*****.**")) == [
"audited:",
AUDIT_MANAGER + ":",
AUDIT_VIEWER + ":",
PERMISSION_AUDITOR + ":",
"owner:sad-team",
"ssh:*",
"sudo:shell",
"team-sre:*",
]
assert sorted(get_user_permissions(graph, "*****@*****.**")) == []
assert sorted(get_user_permissions(graph, "*****@*****.**")) == ["sudo:shell"]
def test_disabling_permission(
session, groups, standard_graph, graph, http_client, base_url # noqa: F811
):
"""
This tests disabling via the front-end route, including checking
that the user is authorized to disable permissions.
"""
perm_name = "sudo"
nonpriv_user_name = "*****@*****.**" # user without PERMISSION_ADMIN
nonpriv_headers = {"X-Grouper-User": nonpriv_user_name}
priv_user_name = "*****@*****.**" # user with PERMISSION_ADMIN
priv_headers = {"X-Grouper-User": priv_user_name}
disable_url = url(base_url, "/permissions/{}/disable".format(perm_name))
disable_url_non_exist_perm = url(base_url, "/permissions/no.exists/disable")
assert "sudo:shell" in get_user_permissions(graph, "*****@*****.**")
assert "sudo:shell" in get_user_permissions(graph, "*****@*****.**")
# attempt to disable the permission -> should fail cuz actor
# doesn't have PERMISSION_ADMIN
with pytest.raises(HTTPError) as exc:
yield http_client.fetch(disable_url, method="POST", headers=nonpriv_headers, body="")
assert exc.value.code == 403
# check that no change
assert get_permission(session, perm_name).enabled
graph.update_from_db(session)
assert "sudo:shell" in get_user_permissions(graph, "*****@*****.**")
assert "sudo:shell" in get_user_permissions(graph, "*****@*****.**")
# an actor with PERMISSION_ADMIN is allowed to disable the
# permission
resp = yield http_client.fetch(disable_url, method="POST", headers=priv_headers, body="")
assert resp.code == 200
assert not get_permission(session, perm_name).enabled
graph.update_from_db(session)
assert "sudo:shell" not in get_user_permissions(graph, "*****@*****.**")
assert "sudo:shell" not in get_user_permissions(graph, "*****@*****.**")
with pytest.raises(HTTPError) as exc:
yield http_client.fetch(
disable_url_non_exist_perm, method="POST", headers=priv_headers, body=""
)
assert exc.value.code == 404
#
# make sure that when disabling the permission, all mappings of
# it, i.e., with different arguments, are disabled
#
# the standard_graph grants 'ssh' with args '*' and 'shell' to two
# different groups
assert "ssh:*" in get_group_permissions(graph, "team-sre")
assert "ssh:shell" in get_group_permissions(graph, "tech-ops")
# disable the perm
disable_url_ssh_pem = url(base_url, "/permissions/ssh/disable")
resp = yield http_client.fetch(
disable_url_ssh_pem, method="POST", headers=priv_headers, body=""
)
assert resp.code == 200
assert not get_permission(session, "ssh").enabled
graph.update_from_db(session)
assert "ssh:*" not in get_group_permissions(graph, "team-sre")
assert "ssh:shell" not in get_group_permissions(graph, "tech-ops")