def test_google_bucket_access_denied_new_proxy_group( app, google_storage_client_mocker, client, cloud_manager, db_session, encoded_jwt_no_proxy_group, monkeypatch, ): monkeypatch.setitem(config, "MOCK_AUTH", False) user_id = encoded_jwt_no_proxy_group["user_id"] proj = Project(id=129, name="test_proj") ap = AccessPrivilege(user_id=user_id, project_id=proj.id, privilege=["read-storage"]) cloud = CloudProvider(id=129, name="google") bucket = Bucket(id=129, provider_id=cloud.id) gbag = GoogleBucketAccessGroup(id=129, bucket_id=bucket.id, email="*****@*****.**", privileges=["write"]) ptob = ProjectToBucket(id=129, project_id=proj.id, bucket_id=bucket.id) sa = StorageAccess(project_id=proj.id, provider_id=cloud.id) db_session.add(proj) db_session.add(ap) db_session.add(cloud) db_session.add(bucket) db_session.add(gbag) db_session.add(ptob) db_session.add(sa) db_session.commit() encoded_credentials_jwt = encoded_jwt_no_proxy_group["jwt"] new_service_account = { "uniqueId": "987654321", "email": "*****@*****.**", "projectId": "1", } new_proxy_group = {"id": "123456789", "email": "*****@*****.**"} path = "/credentials/google/" data = {} # return new service account (cloud_manager.return_value.__enter__.return_value. create_service_account_for_proxy_group.return_value) = new_service_account (cloud_manager.return_value.__enter__.return_value. create_proxy_group_for_user.return_value) = new_proxy_group response = client.post( path, data=data, headers={"Authorization": "Bearer " + encoded_credentials_jwt}) assert google_storage_client_mocker.delete_bucket_acl.called is True assert response.status_code == 200
def test_google_bucket_access_existing_proxy_group( app, google_storage_client_mocker, client, cloud_manager, db_session, encoded_creds_jwt, monkeypatch, ): monkeypatch.setitem(app.config, "MOCK_AUTH", False) user_id = encoded_creds_jwt["user_id"] client_id = encoded_creds_jwt["client_id"] service_account_id = "123456789" path = "/credentials/google/" proj = Project(id=129, name="test_proj") ap = AccessPrivilege( user_id=user_id, project_id=proj.id, privilege=["write-storage"] ) cloud = CloudProvider(id=129, name="google") bucket = Bucket(id=129, provider_id=cloud.id) gbag = GoogleBucketAccessGroup( id=129, bucket_id=bucket.id, email="*****@*****.**", privileges=["write"] ) ptob = ProjectToBucket(id=129, project_id=proj.id, bucket_id=bucket.id) sa = StorageAccess(project_id=proj.id, provider_id=cloud.id) service_account = GoogleServiceAccount( google_unique_id=service_account_id, client_id=client_id, user_id=user_id, email=(client_id + "-" + str(user_id) + "@test.com"), google_project_id="projectId-0", ) db_session.add(service_account) db_session.commit() db_session.add(proj) db_session.add(ap) db_session.add(cloud) db_session.add(bucket) db_session.add(gbag) db_session.add(ptob) db_session.add(sa) db_session.add(service_account) db_session.commit() encoded_credentials_jwt = encoded_creds_jwt["jwt"] path = "/credentials/google/" data = {} response = client.post( path, data=data, headers={"Authorization": "Bearer " + encoded_credentials_jwt} ) assert google_storage_client_mocker.add_bucket_acl.called is False assert response.status_code == 200
def test_service_account_relationsips(db_session): """ test service account tables have proper relationships/fields """ project = Project(id=1) bucket = Bucket(id=1) user_sa = UserServiceAccount( id=1, google_unique_id="guid", email="*****@*****.**", google_project_id="gpid", ) sa_access_privilege = ServiceAccountAccessPrivilege(id=1, project_id=1, service_account_id=1) gbag = GoogleBucketAccessGroup(id=1, bucket_id=1, email="*****@*****.**") sa_to_gbag = ServiceAccountToGoogleBucketAccessGroup(id=1, service_account_id=1, expires=0, access_group_id=1) db_session.add(project) db_session.add(bucket) db_session.add(user_sa) db_session.add(sa_access_privilege) db_session.add(gbag) db_session.add(sa_to_gbag) db_session.commit() assert project.sa_access_privileges[ 0].__class__ == ServiceAccountAccessPrivilege assert project.sa_access_privileges[0].id == 1 assert sa_access_privilege.project.__class__ == Project assert sa_access_privilege.project.id == 1 assert sa_access_privilege.service_account.__class__ == UserServiceAccount assert sa_access_privilege.service_account.id == 1 assert user_sa.access_privileges[ 0].__class__ == ServiceAccountAccessPrivilege assert user_sa.access_privileges[0].id == 1 assert (user_sa.to_access_groups[0].__class__ == ServiceAccountToGoogleBucketAccessGroup) assert user_sa.to_access_groups[0].id == 1 assert sa_to_gbag.service_account.__class__ == UserServiceAccount assert sa_to_gbag.service_account.id == 1 assert sa_to_gbag.access_group.__class__ == GoogleBucketAccessGroup assert sa_to_gbag.access_group.id == 1 assert gbag.to_access_groups[ 0].__class__ == ServiceAccountToGoogleBucketAccessGroup assert gbag.to_access_groups[0].id == 1
def test_google_bucket_access_existing_proxy_group( app, google_storage_client_mocker, client, cloud_manager, db_session, encoded_creds_jwt, monkeypatch, ): monkeypatch.setitem(config, "MOCK_AUTH", False) user_id = encoded_creds_jwt["user_id"] client_id = encoded_creds_jwt["client_id"] service_account_id = "123456789" path = "/credentials/google/" proj = Project(id=129, name="test_proj") ap = AccessPrivilege(user_id=user_id, project_id=proj.id, privilege=["write-storage"]) cloud = CloudProvider(id=129, name="google") bucket = Bucket(id=129, provider_id=cloud.id) gbag = GoogleBucketAccessGroup(id=129, bucket_id=bucket.id, email="*****@*****.**", privileges=["write"]) ptob = ProjectToBucket(id=129, project_id=proj.id, bucket_id=bucket.id) sa = StorageAccess(project_id=proj.id, provider_id=cloud.id) service_account = GoogleServiceAccount( google_unique_id=service_account_id, client_id=client_id, user_id=user_id, email=(client_id + "-" + str(user_id) + "@test.com"), google_project_id="projectId-0", ) db_session.add(service_account) db_session.commit() db_session.add(proj) db_session.add(ap) db_session.add(cloud) db_session.add(bucket) db_session.add(gbag) db_session.add(ptob) db_session.add(sa) db_session.add(service_account) db_session.commit() # make function return the service account we created and don't try to update db # since we already did it in the test mock = MagicMock() mock.return_value = service_account patch("fence.resources.google.utils.get_or_create_service_account", mock).start() patch("fence.resources.google.utils._update_service_account_db_entry", mock).start() encoded_credentials_jwt = encoded_creds_jwt["jwt"] path = "/credentials/google/" data = {} response = client.post( path, data=data, headers={"Authorization": "Bearer " + encoded_credentials_jwt}) assert google_storage_client_mocker.add_bucket_acl.called is False assert response.status_code == 200