def expiring_graph(session, graph, users, groups, permissions):
now = datetime.utcnow()
note_exp_now = now + timedelta(settings.expiration_notice_days)
week = timedelta(7)
add_member(groups["team-sre"], users["*****@*****.**"], role="owner")
add_member(groups["team-sre"], users["*****@*****.**"], role="owner")
add_member(groups["team-sre"],
users["*****@*****.**"],
expiration=note_exp_now + week)
add_member(groups["team-sre"], users["*****@*****.**"])
add_member(groups["team-sre"],
users["*****@*****.**"],
role="owner",
expiration=note_exp_now + week)
revoke_member(groups["team-sre"], users["*****@*****.**"])
grant_permission(groups["team-sre"], permissions["ssh"], argument="*")
add_member(groups["serving-team"], users["*****@*****.**"], role="owner")
add_member(groups["serving-team"],
groups["team-sre"],
expiration=note_exp_now + week)
add_member(groups["serving-team"], groups["tech-ops"])
grant_permission(groups["serving-team"], permissions["audited"])
add_member(groups["tech-ops"], users["*****@*****.**"], role="owner")
add_member(groups["tech-ops"],
users["*****@*****.**"],
expiration=note_exp_now + 2 * week)
grant_permission(groups["tech-ops"], permissions["ssh"], argument="shell")
return graph
def test_can_always_revoke_members(get_plugin_proxy, groups, users):
get_plugin_proxy.return_value = PluginProxy([GroupOwnershipPolicyPlugin()])
group = groups["team-infra"]
owner = users["*****@*****.**"]
member = users["*****@*****.**"]
expiration = datetime.utcnow() + timedelta(1)
add_member(group, owner, role="owner", expiration=expiration)
add_member(group, member)
revoke_member(group, member)
def test_cant_revoke_last_permanent_owner(get_plugin_proxy, groups, users):
get_plugin_proxy.return_value = PluginProxy([GroupOwnershipPolicyPlugin()])
group = groups["team-infra"]
first_owner = users["*****@*****.**"]
second_owner = users["*****@*****.**"]
expiration = datetime.utcnow() + timedelta(1)
add_member(group, first_owner, role="owner", expiration=expiration)
add_member(group, second_owner, role="owner")
with pytest.raises(PluginRejectedGroupMembershipUpdate):
revoke_member(group, second_owner)
def test_cant_revoke_last_npowner(get_plugin_proxy, session, groups, users):
get_plugin_proxy.return_value = PluginProxy([GroupOwnershipPolicyPlugin()])
group = groups["team-infra"]
first_owner = users["*****@*****.**"]
second_owner = users["*****@*****.**"]
add_member(group, first_owner, role="np-owner")
add_member(group, second_owner, role="np-owner")
# Revoking the first owner does not raise an exception
revoke_member(group, first_owner)
session.commit()
with pytest.raises(PluginRejectedGroupMembershipUpdate):
revoke_member(group, second_owner)
def test_cant_revoke_last_owner(get_plugins, session, groups, users):
get_plugins.return_value = [GroupOwnershipPolicyPlugin()]
group = groups["team-infra"]
first_owner = users["*****@*****.**"]
second_owner = users["*****@*****.**"]
add_member(group, first_owner, role="owner")
add_member(group, second_owner, role="owner")
assert len(group.my_owners()) == 2
# Revoking the first owner does not raise an exception
revoke_member(group, first_owner)
session.commit()
assert len(group.my_owners()) == 1
with pytest.raises(PluginRejectedGroupMembershipUpdate):
revoke_member(group, second_owner)
assert len(group.my_owners()) == 1
def expiring_graph(session, graph, users, groups, permissions):
now = datetime.utcnow()
note_exp_now = now + timedelta(settings.expiration_notice_days)
week = timedelta(7)
add_member(groups["team-sre"], users["*****@*****.**"], role="owner")
add_member(groups["team-sre"], users["*****@*****.**"], role="owner")
add_member(groups["team-sre"], users["*****@*****.**"], expiration=note_exp_now+week)
add_member(groups["team-sre"], users["*****@*****.**"])
add_member(groups["team-sre"], users["*****@*****.**"], role="owner", expiration=note_exp_now+week)
revoke_member(groups["team-sre"], users["*****@*****.**"])
grant_permission(groups["team-sre"], permissions["ssh"], argument="*")
add_member(groups["serving-team"], users["*****@*****.**"], role="owner")
add_member(groups["serving-team"], groups["team-sre"], expiration=note_exp_now+week)
add_member(groups["serving-team"], groups["tech-ops"])
grant_permission(groups["serving-team"], permissions["audited"])
add_member(groups["tech-ops"], users["*****@*****.**"], role="owner")
add_member(groups["tech-ops"], users["*****@*****.**"], expiration=note_exp_now+2*week)
grant_permission(groups["tech-ops"], permissions["ssh"], argument="shell")
return graph
def test_expire_nonauditors(standard_graph, users, groups, session, permissions):
""" Test expiration auditing and notification. """
graph = standard_graph # noqa
# Test audit autoexpiration for all approvers
approver_roles = ["owner", "np-owner", "manager"]
for role in approver_roles:
# Add non-auditor as an owner to an audited group
add_member(groups["audited-team"], users["*****@*****.**"], role=role)
session.commit()
graph.update_from_db(session)
group_md = graph.get_group_details("audited-team")
assert group_md.get('audited', False)
# Expire the edges.
background = BackgroundProcessor(settings, None)
background.expire_nonauditors(session)
# Check that the edges are now marked as inactive.
edge = session.query(GroupEdge).filter_by(group_id=groups["audited-team"].id, member_pk=users["*****@*****.**"].id).scalar()
assert edge.expiration is not None
assert edge.expiration < datetime.utcnow() + timedelta(days=settings.nonauditor_expiration_days)
assert edge.expiration > datetime.utcnow() + timedelta(days=settings.nonauditor_expiration_days - 1)
assert any(["Subject: Membership in audited-team set to expire" in email.body and "To: [email protected]" in email.body for email in _get_unsent_emails_and_send(session)])
audits = AuditLog.get_entries(session, action="nonauditor_flagged")
assert len(audits) == 3 + 1 * (approver_roles.index(role) + 1)
revoke_member(groups["audited-team"], users["*****@*****.**"])
# Ensure nonauditor, nonapprovers in audited groups do not get set to expired
member_roles = ["member"]
for role in member_roles:
# Add non-auditor as an owner to an audited group
add_member(groups["audited-team"], users["*****@*****.**"], role=role)
session.commit()
graph.update_from_db(session)
group_md = graph.get_group_details("audited-team")
assert group_md.get('audited', False)
# Expire the edges.
background = BackgroundProcessor(settings, None)
background.expire_nonauditors(session)
# Check that the edges are now marked as inactive.
edge = session.query(GroupEdge).filter_by(group_id=groups["audited-team"].id, member_pk=users["*****@*****.**"].id).scalar()
assert edge.expiration is None
assert not any(["Subject: Membership in audited-team set to expire" in email.body and "To: [email protected]" in email.body for email in _get_unsent_emails_and_send(session)])
audits = AuditLog.get_entries(session, action="nonauditor_flagged")
assert len(audits) == 3 + 1 * len(approver_roles)
revoke_member(groups["audited-team"], users["*****@*****.**"])
def test_expire_nonauditors(standard_graph, users, groups, session, permissions):
""" Test expiration auditing and notification. """
graph = standard_graph # noqa
# Test audit autoexpiration for all approvers
approver_roles = ["owner", "np-owner", "manager"]
for role in approver_roles:
# Add non-auditor as an owner to an audited group
add_member(groups["audited-team"], users["*****@*****.**"], role=role)
session.commit()
graph.update_from_db(session)
group_md = graph.get_group_details("audited-team")
assert group_md.get('audited', False)
# Expire the edges.
background = BackgroundThread(settings, None)
background.expire_nonauditors(session)
# Check that the edges are now marked as inactive.
edge = session.query(GroupEdge).filter_by(group_id=groups["audited-team"].id, member_pk=users["*****@*****.**"].id).scalar()
assert edge.expiration is not None
assert edge.expiration < datetime.utcnow() + timedelta(days=settings.nonauditor_expiration_days)
assert edge.expiration > datetime.utcnow() + timedelta(days=settings.nonauditor_expiration_days - 1)
assert any(["Subject: Membership in audited-team set to expire" in email.body and "To: [email protected]" in email.body for email in _get_unsent_emails_and_send(session)])
audits = AuditLog.get_entries(session, action="nonauditor_flagged")
assert len(audits) == 3 + 1 * (approver_roles.index(role) + 1)
revoke_member(groups["audited-team"], users["*****@*****.**"])
# Ensure nonauditor, nonapprovers in audited groups do not get set to expired
member_roles = ["member"]
for role in member_roles:
# Add non-auditor as an owner to an audited group
add_member(groups["audited-team"], users["*****@*****.**"], role=role)
session.commit()
graph.update_from_db(session)
group_md = graph.get_group_details("audited-team")
assert group_md.get('audited', False)
# Expire the edges.
background = BackgroundThread(settings, None)
background.expire_nonauditors(session)
# Check that the edges are now marked as inactive.
edge = session.query(GroupEdge).filter_by(group_id=groups["audited-team"].id, member_pk=users["*****@*****.**"].id).scalar()
assert edge.expiration is None
assert not any(["Subject: Membership in audited-team set to expire" in email.body and "To: [email protected]" in email.body for email in _get_unsent_emails_and_send(session)])
audits = AuditLog.get_entries(session, action="nonauditor_flagged")
assert len(audits) == 3 + 1 * len(approver_roles)
revoke_member(groups["audited-team"], users["*****@*****.**"])