def test_fetch_auth_db(self): # Create AuthGlobalConfig. global_config = model.AuthGlobalConfig(key=model.root_key()) global_config.oauth_client_id = '1' global_config.oauth_client_secret = 'secret' global_config.oauth_additional_client_ids = ['2', '3'] global_config.put() # Create a bunch of (empty) groups. groups = [ model.AuthGroup(key=model.group_key('Group A')), model.AuthGroup(key=model.group_key('Group B')), ] for group in groups: group.put() # And a bunch of secrets (local and global). local_secrets = [ model.AuthSecret.bootstrap('local%d' % i, 'local') for i in (0, 1, 2) ] global_secrets = [ model.AuthSecret.bootstrap('global%d' % i, 'global') for i in (0, 1, 2) ] # And IP whitelist. ip_whitelist_assignments = model.AuthIPWhitelistAssignments( key=model.ip_whitelist_assignments_key(), assignments=[ model.AuthIPWhitelistAssignments.Assignment( identity=model.Anonymous, ip_whitelist='some ip whitelist', ), ]) ip_whitelist_assignments.put() some_ip_whitelist = model.AuthIPWhitelist( key=model.ip_whitelist_key('some ip whitelist'), subnets=['127.0.0.1/32']) bots_ip_whitelist = model.AuthIPWhitelist( key=model.ip_whitelist_key('bots'), subnets=['127.0.0.1/32']) some_ip_whitelist.put() bots_ip_whitelist.put() # This all stuff should be fetched into AuthDB. auth_db = api.fetch_auth_db() self.assertEqual(global_config, auth_db.global_config) self.assertEqual(set(g.key.id() for g in groups), set(auth_db.groups)) self.assertEqual(set(s.key.id() for s in local_secrets), set(auth_db.secrets['local'])) self.assertEqual(set(s.key.id() for s in global_secrets), set(auth_db.secrets['global'])) self.assertEqual(ip_whitelist_assignments, auth_db.ip_whitelist_assignments) self.assertEqual( { 'bots': bots_ip_whitelist, 'some ip whitelist': some_ip_whitelist }, auth_db.ip_whitelists)
def test_nested_groups_cycle(self): # Groups that nest each other. group1 = model.AuthGroup(id='Group1') group1.nested.append('Group2') group2 = model.AuthGroup(id='Group2') group2.nested.append('Group1') # Collect error messages. errors = [] self.mock(api.logging, 'error', lambda *args: errors.append(args)) # This should not hang, but produce error message. auth_db = api.AuthDB(groups=[group1, group2]) self.assertFalse(auth_db.is_group_member('Group1', model.Anonymous)) self.assertEqual(1, len(errors))
def test_get_group(self): g = model.AuthGroup( key=model.group_key('group'), members=[ model.Identity.from_bytes('user:[email protected]'), model.Identity.from_bytes('user:[email protected]'), ], globs=[model.IdentityGlob.from_bytes('user:*')], nested=['blah'], created_by=model.Identity.from_bytes('user:[email protected]'), created_ts=datetime.datetime(2014, 1, 2, 3, 4, 5), modified_by=model.Identity.from_bytes('user:[email protected]'), modified_ts=datetime.datetime(2015, 1, 2, 3, 4, 5)) db = api.AuthDB(groups=[g]) # Unknown group. self.assertIsNone(db.get_group('blah')) # Known group. from_cache = db.get_group('group') self.assertEqual(from_cache.key, g.key) # Members list is sorted. self.assertEqual(from_cache.members, [ model.Identity.from_bytes('user:[email protected]'), model.Identity.from_bytes('user:[email protected]'), ]) # Fields that are know to be different. exclude = ['members', 'auth_db_rev', 'auth_db_prev_rev'] self.assertEqual(from_cache.to_dict(exclude=exclude), g.to_dict(exclude=exclude))
def make_group(name, comment, **kwargs): group = model.AuthGroup(key=model.group_key(name), **kwargs) group.record_revision( modified_by=ident('*****@*****.**'), modified_ts=utils.utcnow(), comment=comment) group.put()
def make_auth_db(): model.AuthGlobalConfig(key=model.root_key()).put() model.AuthIPWhitelistAssignments( key=model.ip_whitelist_assignments_key()).put() model.AuthGroup(key=model.group_key('A group')).put() model.AuthIPWhitelist(key=model.ip_whitelist_key('A whitelist')).put() model.replicate_auth_db()
def test_group_serialization(self): """Serializing snapshot with non-trivial AuthGroup.""" group = model.AuthGroup( key=model.group_key('some-group'), members=[ model.Identity.from_bytes('user:[email protected]'), model.Identity.from_bytes('user:[email protected]'), ], globs=[model.IdentityGlob.from_bytes('user:*@example.com')], nested=['Group A', 'Group B'], description='Blah blah blah', created_ts=datetime.datetime(2020, 1, 1, 1, 1, 1), created_by=model.Identity.from_bytes('user:[email protected]'), modified_ts=datetime.datetime(2020, 2, 2, 2, 2, 2), modified_by=model.Identity.from_bytes('user:[email protected]'), ) auth_db = make_auth_db_proto(groups=[group]) self.assertEqual(list(auth_db.groups), [ replication_pb2.AuthGroup( name='some-group', members=['user:[email protected]', 'user:[email protected]'], globs=['user:*@example.com'], nested=['Group A', 'Group B'], description='Blah blah blah', created_ts=1577840461000000, created_by='user:[email protected]', modified_ts=1580608922000000, modified_by='user:[email protected]', owners='administrators', ) ])
def make_group(group_id, nested=(), owners=model.ADMIN_GROUP, store=True): """Makes a new AuthGroup to use in test, puts it in datastore.""" entity = model.AuthGroup( key=model.group_key(group_id), nested=nested, owners=owners) if store: entity.put() return entity
def mock_group(group, members): """Creates new group entity in the datastore.""" members = [ model.Identity.from_bytes(m) if isinstance(m, basestring) else m for m in members ] model.AuthGroup(key=model.group_key(group), members=members).put()
def test_nested_groups_cycle(self): # Groups that nest each other. group1 = model.AuthGroup(id='Group1') group1.nested.append('Group2') group2 = model.AuthGroup(id='Group2') group2.nested.append('Group1') # Collect warnings. warnings = [] self.mock(api.logging, 'warning', lambda msg, *_args: warnings.append(msg)) # This should not hang, but produce error message. auth_db = api.AuthDB(groups=[group1, group2]) self.assertFalse(auth_db.is_group_member('Group1', model.Anonymous)) self.assertEqual(1, len(warnings)) self.assertTrue('Cycle in a group graph' in warnings[0])
def create_group(group_name): ent = model.AuthGroup(key=model.group_key(group_name), members=imported_groups[group_name], created_ts=timestamp, created_by=auth.get_service_self_identity(), modified_ts=timestamp, modified_by=auth.get_service_self_identity()) to_put.append(ent)
def test_not_real_nested_group_cycle_aka_issue_251(self): # See https://github.com/luci/luci-py/issues/251. # # B -> A, C -> [B, A]. When traversing C, A is seen twice, and this is fine. group_A = model.AuthGroup(id='A') group_B = model.AuthGroup(id='B') group_C = model.AuthGroup(id='C') group_B.nested = ['A'] group_C.nested = ['A', 'B'] db = api.AuthDB(groups=[group_A, group_B, group_C]) # 'is_group_member' must not report 'Cycle in a group graph' warning. warnings = [] self.mock(api.logging, 'warning', lambda msg, *_args: warnings.append(msg)) self.assertFalse(db.is_group_member('C', model.Anonymous)) self.assertFalse(warnings)
def create_group(group_name): assert group_name.startswith('%s/' % system_name), group_name ent = model.AuthGroup(key=model.group_key(group_name), members=imported_groups[group_name], created_ts=timestamp, created_by=provided_by, modified_ts=timestamp, modified_by=provided_by) to_put.append(ent)
def setUp(self): super(MembershipTest, self).setUp() api.reset_local_state() self.mock(api, 'is_admin', lambda *_: True) model.AuthGroup(key=model.group_key('testgroup'), members=[]).put() def is_group_member_mock(group, identity): group = model.group_key(group).get() return group is not None and identity in group.members self.mock(api, 'is_group_member', is_group_member_mock)
def group(name, members, nested=None): return model.AuthGroup( key=model.group_key(name), created_by=ident('admin'), created_ts=datetime.datetime(1999, 1, 2, 3, 4, 5, 6), modified_by=ident('admin'), modified_ts=datetime.datetime(1999, 1, 2, 3, 4, 5, 6), members=[ident(x) for x in members], nested=nested or [])
def test_is_group_member(self): # Test identity. joe = model.Identity(model.IDENTITY_USER, '*****@*****.**') # Group that includes joe via glob. with_glob = model.AuthGroup(id='WithGlob') with_glob.globs.append( model.IdentityGlob(model.IDENTITY_USER, '*@example.com')) # Group that includes joe via explicit listing. with_listing = model.AuthGroup(id='WithListing') with_listing.members.append(joe) # Group that includes joe via nested group. with_nesting = model.AuthGroup(id='WithNesting') with_nesting.nested.append('WithListing') # Creates AuthDB with given list of groups and then runs the check. is_member = (lambda groups, identity, group: api.AuthDB(groups=groups). is_group_member(group, identity)) # Wildcard group includes everyone (even anonymous). self.assertTrue(is_member([], joe, '*')) self.assertTrue(is_member([], model.Anonymous, '*')) # An unknown group includes nobody. self.assertFalse(is_member([], joe, 'Missing')) self.assertFalse(is_member([], model.Anonymous, 'Missing')) # Globs are respected. self.assertTrue(is_member([with_glob], joe, 'WithGlob')) self.assertFalse(is_member([with_glob], model.Anonymous, 'WithGlob')) # Members lists are respected. self.assertTrue(is_member([with_listing], joe, 'WithListing')) self.assertFalse( is_member([with_listing], model.Anonymous, 'WithListing')) # Nested groups are respected. self.assertTrue( is_member([with_nesting, with_listing], joe, 'WithNesting')) self.assertFalse( is_member([with_nesting, with_listing], model.Anonymous, 'WithNesting'))
def modify(name, commit=True, **kwargs): k = model.group_key(name) e = k.get() if not e: e = model.AuthGroup(key=k, created_by=ident_a, created_ts=utils.utcnow()) e.record_revision(modified_by=ident_a, modified_ts=utils.utcnow(), comment='Comment') e.populate(**kwargs) e.put() if commit: model.replicate_auth_db()
def group(self, name, members=None, globs=None, nested=None, owners=None): self.groups.append( model.AuthGroup( key=model.group_key(name), members=[ model.Identity.from_bytes(m) for m in (members or []) ], globs=[ model.IdentityGlob.from_bytes(g) for g in (globs or []) ], nested=nested or [], owners=owners or 'default-owners-group', )) return self
def test_list_group(self): list_group = (lambda groups, group, recursive: api.AuthDB( groups=groups).list_group(group, recursive)) grp_1 = model.AuthGroup(id='1') grp_1.members.extend([ model.Identity(model.IDENTITY_USER, '*****@*****.**'), model.Identity(model.IDENTITY_USER, '*****@*****.**'), ]) grp_2 = model.AuthGroup(id='2') grp_2.nested.append('1') grp_2.members.extend([ # Specify 'b' again, even though it's in a nested group. model.Identity(model.IDENTITY_USER, '*****@*****.**'), model.Identity(model.IDENTITY_USER, '*****@*****.**'), ]) # Unknown group. self.assertEqual(set(), list_group([grp_1, grp_2], 'blah', False)) self.assertEqual(set(), list_group([grp_1, grp_2], 'blah', True)) # Non recursive. expected = set([ model.Identity(model.IDENTITY_USER, '*****@*****.**'), model.Identity(model.IDENTITY_USER, '*****@*****.**'), ]) self.assertEqual(expected, list_group([grp_1, grp_2], '2', False)) # Recursive. expected = set([ model.Identity(model.IDENTITY_USER, '*****@*****.**'), model.Identity(model.IDENTITY_USER, '*****@*****.**'), model.Identity(model.IDENTITY_USER, '*****@*****.**'), ]) self.assertEqual(expected, list_group([grp_1, grp_2], '2', True))
def test_group_serialization(self): """Serializing snapshot with non-trivial AuthGroup.""" group = model.AuthGroup( key=model.group_key('some-group'), members=[ model.Identity.from_bytes('user:[email protected]'), model.Identity.from_bytes('user:[email protected]'), ], globs=[model.IdentityGlob.from_bytes('user:*@example.com')], nested=['Group A', 'Group B'], description='Blah blah blah', created_ts=utils.utcnow(), created_by=model.Identity.from_bytes('user:[email protected]'), modified_ts=utils.utcnow(), modified_by=model.Identity.from_bytes('user:[email protected]'), ) snapshot = make_snapshot_obj(groups=[group]) self.assert_serialization_works(snapshot)
def test_subtoken_audience(self): auth_db = api.AuthDB(groups=[ model.AuthGroup( id='abc', members=[model.Identity.from_bytes('user:[email protected]')], ) ]) tok = fake_subtoken_proto('user:[email protected]', audience=['user:[email protected]', 'group:abc']) # Works. make_id = model.Identity.from_bytes self.assertTrue( delegation.check_subtoken(tok, make_id('user:[email protected]'), auth_db)) self.assertTrue( delegation.check_subtoken(tok, make_id('user:[email protected]'), auth_db)) # Other ids are rejected. with self.assertRaises(delegation.BadTokenError): delegation.check_subtoken(tok, make_id('user:[email protected]'), auth_db)
def add_group(self, group, identities): model.AuthGroup(key=model.group_key(group), members=[ model.Identity.from_bytes(identity) for identity in identities ]).put()
def test_fetch_auth_db(self): # Client IDs callback. Disable config.ensure_configured() since it overrides # _additional_client_ids_cb after we mock it. self.mock(config, 'ensure_configured', lambda: None) self.mock(api, '_additional_client_ids_cb', lambda: ['', 'cb_client_id']) self.mock(api, 'get_web_client_id', lambda: 'web_client_id') # Create AuthGlobalConfig. global_config = model.AuthGlobalConfig(key=model.root_key()) global_config.oauth_client_id = '1' global_config.oauth_client_secret = 'secret' global_config.oauth_additional_client_ids = ['2', '3'] global_config.put() # Create a bunch of (empty) groups. groups = [ model.AuthGroup(key=model.group_key('Group A')), model.AuthGroup(key=model.group_key('Group B')), ] for group in groups: group.put() # And a bunch of secrets. secrets = [ model.AuthSecret.bootstrap('local%d' % i) for i in (0, 1, 2) ] # And IP whitelist. ip_whitelist_assignments = model.AuthIPWhitelistAssignments( key=model.ip_whitelist_assignments_key(), assignments=[ model.AuthIPWhitelistAssignments.Assignment( identity=model.Anonymous, ip_whitelist='some ip whitelist', ), ]) ip_whitelist_assignments.put() some_ip_whitelist = model.AuthIPWhitelist( key=model.ip_whitelist_key('some ip whitelist'), subnets=['127.0.0.1/32']) bots_ip_whitelist = model.AuthIPWhitelist( key=model.ip_whitelist_key('bots'), subnets=['127.0.0.1/32']) some_ip_whitelist.put() bots_ip_whitelist.put() # This all stuff should be fetched into AuthDB. auth_db = api.fetch_auth_db() self.assertEqual(global_config, auth_db.global_config) self.assertEqual(set(g.key.id() for g in groups), set(auth_db.groups)) self.assertEqual(set(s.key.id() for s in secrets), set(auth_db.secrets)) self.assertEqual(ip_whitelist_assignments, auth_db.ip_whitelist_assignments) self.assertEqual( { 'bots': bots_ip_whitelist, 'some ip whitelist': some_ip_whitelist }, auth_db.ip_whitelists) self.assertTrue(auth_db.is_allowed_oauth_client_id('1')) self.assertTrue(auth_db.is_allowed_oauth_client_id('cb_client_id')) self.assertTrue(auth_db.is_allowed_oauth_client_id('web_client_id')) self.assertFalse(auth_db.is_allowed_oauth_client_id(''))
def test_non_empty(self): self.mock_now(datetime.datetime(2014, 1, 1, 1, 1, 1)) state = model.AuthReplicationState(key=model.replication_state_key(), primary_id='blah', primary_url='https://blah', auth_db_rev=123) state.put() global_config = model.AuthGlobalConfig( key=model.root_key(), modified_ts=utils.utcnow(), modified_by=model.Identity.from_bytes('user:[email protected]'), oauth_client_id='oauth_client_id', oauth_client_secret='oauth_client_secret', oauth_additional_client_ids=['a', 'b'], token_server_url='https://token-server', security_config='security config blob') global_config.put() group = model.AuthGroup( key=model.group_key('Some group'), members=[model.Identity.from_bytes('user:[email protected]')], globs=[model.IdentityGlob.from_bytes('user:*@example.com')], nested=[], description='Some description', owners='owning-group', created_ts=utils.utcnow(), created_by=model.Identity.from_bytes('user:[email protected]'), modified_ts=utils.utcnow(), modified_by=model.Identity.from_bytes('user:[email protected]')) group.put() another = model.AuthGroup(key=model.group_key('Another group'), nested=['Some group']) another.put() ip_whitelist = model.AuthIPWhitelist( key=model.ip_whitelist_key('bots'), subnets=['127.0.0.1/32'], description='Some description', created_ts=utils.utcnow(), created_by=model.Identity.from_bytes('user:[email protected]'), modified_ts=utils.utcnow(), modified_by=model.Identity.from_bytes('user:[email protected]')) ip_whitelist.put() ip_whitelist_assignments = model.AuthIPWhitelistAssignments( key=model.ip_whitelist_assignments_key(), modified_ts=utils.utcnow(), modified_by=model.Identity.from_bytes('user:[email protected]'), assignments=[ model.AuthIPWhitelistAssignments.Assignment( identity=model.Identity.from_bytes( 'user:[email protected]'), ip_whitelist='bots', comment='some comment', created_ts=utils.utcnow(), created_by=model.Identity.from_bytes( 'user:[email protected]')), ]) ip_whitelist_assignments.put() realms_globals = model.AuthRealmsGlobals( key=model.realms_globals_key(), permissions=[ realms_pb2.Permission(name='luci.dev.p1'), realms_pb2.Permission(name='luci.dev.p2'), ]) realms_globals.put() model.AuthProjectRealms(key=model.project_realms_key('proj_id1'), realms=realms_pb2.Realms(api_version=1234), config_rev='rev1', perms_rev='rev1').put() model.AuthProjectRealms(key=model.project_realms_key('proj_id2'), realms=realms_pb2.Realms(api_version=1234), config_rev='rev2', perms_rev='rev2').put() captured_state, snapshot = replication.new_auth_db_snapshot() expected_state = { 'auth_db_rev': 123, 'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1), 'primary_id': u'blah', 'primary_url': u'https://blah', 'shard_ids': [], } self.assertEqual(expected_state, captured_state.to_dict()) expected_snapshot = { 'global_config': { '__id__': 'root', '__parent__': None, 'auth_db_rev': None, 'auth_db_prev_rev': None, 'modified_by': model.Identity(kind='user', name='*****@*****.**'), 'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1), 'oauth_additional_client_ids': [u'a', u'b'], 'oauth_client_id': u'oauth_client_id', 'oauth_client_secret': u'oauth_client_secret', 'security_config': 'security config blob', 'token_server_url': u'https://token-server', }, 'groups': [ { '__id__': 'Another group', '__parent__': ndb.Key('AuthGlobalConfig', 'root'), 'auth_db_rev': None, 'auth_db_prev_rev': None, 'created_by': None, 'created_ts': None, 'description': u'', 'globs': [], 'members': [], 'modified_by': None, 'modified_ts': None, 'nested': [u'Some group'], 'owners': u'administrators', }, { '__id__': 'Some group', '__parent__': ndb.Key('AuthGlobalConfig', 'root'), 'auth_db_rev': None, 'auth_db_prev_rev': None, 'created_by': model.Identity(kind='user', name='*****@*****.**'), 'created_ts': datetime.datetime(2014, 1, 1, 1, 1, 1), 'description': u'Some description', 'globs': [model.IdentityGlob(kind='user', pattern='*@example.com')], 'members': [model.Identity(kind='user', name='*****@*****.**')], 'modified_by': model.Identity(kind='user', name='*****@*****.**'), 'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1), 'nested': [], 'owners': u'owning-group', }, ], 'ip_whitelists': [ { '__id__': 'bots', '__parent__': ndb.Key('AuthGlobalConfig', 'root'), 'auth_db_rev': None, 'auth_db_prev_rev': None, 'created_by': model.Identity(kind='user', name='*****@*****.**'), 'created_ts': datetime.datetime(2014, 1, 1, 1, 1, 1), 'description': u'Some description', 'modified_by': model.Identity(kind='user', name='*****@*****.**'), 'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1), 'subnets': [u'127.0.0.1/32'], }, ], 'ip_whitelist_assignments': { '__id__': 'default', '__parent__': ndb.Key('AuthGlobalConfig', 'root'), 'assignments': [ { 'comment': u'some comment', 'created_by': model.Identity(kind='user', name='*****@*****.**'), 'created_ts': datetime.datetime(2014, 1, 1, 1, 1, 1), 'identity': model.Identity(kind='user', name='*****@*****.**'), 'ip_whitelist': u'bots', }, ], 'auth_db_rev': None, 'auth_db_prev_rev': None, 'modified_by': model.Identity(kind='user', name='*****@*****.**'), 'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1), }, 'realms_globals': { '__id__': 'globals', '__parent__': ndb.Key('AuthGlobalConfig', 'root'), 'auth_db_prev_rev': None, 'auth_db_rev': None, 'modified_by': None, 'modified_ts': None, 'permissions': [ realms_pb2.Permission(name='luci.dev.p1'), realms_pb2.Permission(name='luci.dev.p2'), ], }, 'project_realms': [{ '__id__': 'proj_id1', '__parent__': ndb.Key('AuthGlobalConfig', 'root'), 'auth_db_prev_rev': None, 'auth_db_rev': None, 'config_rev': u'rev1', 'perms_rev': u'rev1', 'modified_by': None, 'modified_ts': None, 'realms': realms_pb2.Realms(api_version=1234), }, { '__id__': 'proj_id2', '__parent__': ndb.Key('AuthGlobalConfig', 'root'), 'auth_db_prev_rev': None, 'auth_db_rev': None, 'config_rev': u'rev2', 'perms_rev': u'rev2', 'modified_by': None, 'modified_ts': None, 'realms': realms_pb2.Realms(api_version=1234), }], } self.assertEqual(expected_snapshot, snapshot_to_dict(snapshot))
def test_non_empty(self): self.mock_now(datetime.datetime(2014, 1, 1, 1, 1, 1)) state = model.AuthReplicationState( key=model.replication_state_key(), primary_id='blah', primary_url='https://blah', auth_db_rev=123) state.put() global_config = model.AuthGlobalConfig( key=model.root_key(), modified_ts=utils.utcnow(), modified_by=model.Identity.from_bytes('user:[email protected]'), oauth_client_id='oauth_client_id', oauth_client_secret='oauth_client_secret', oauth_additional_client_ids=['a', 'b']) global_config.put() group = model.AuthGroup( key=model.group_key('Some group'), members=[model.Identity.from_bytes('user:[email protected]')], globs=[model.IdentityGlob.from_bytes('user:*@example.com')], nested=[], description='Some description', owners='owning-group', created_ts=utils.utcnow(), created_by=model.Identity.from_bytes('user:[email protected]'), modified_ts=utils.utcnow(), modified_by=model.Identity.from_bytes('user:[email protected]')) group.put() another = model.AuthGroup( key=model.group_key('Another group'), nested=['Some group']) another.put() global_secret = model.AuthSecret( id='global_secret', parent=model.secret_scope_key('global'), values=['1234', '5678'], modified_ts=utils.utcnow(), modified_by=model.Identity.from_bytes('user:[email protected]')) global_secret.put() # Local secret should not appear in a snapshot. local_secret = model.AuthSecret( id='local_secret', parent=model.secret_scope_key('local'), values=['1234', '5678'], modified_ts=utils.utcnow(), modified_by=model.Identity.from_bytes('user:[email protected]')) local_secret.put() ip_whitelist = model.AuthIPWhitelist( key=model.ip_whitelist_key('bots'), subnets=['127.0.0.1/32'], description='Some description', created_ts=utils.utcnow(), created_by=model.Identity.from_bytes('user:[email protected]'), modified_ts=utils.utcnow(), modified_by=model.Identity.from_bytes('user:[email protected]')) ip_whitelist.put() ip_whitelist_assignments = model.AuthIPWhitelistAssignments( key=model.ip_whitelist_assignments_key(), modified_ts=utils.utcnow(), modified_by=model.Identity.from_bytes('user:[email protected]'), assignments=[ model.AuthIPWhitelistAssignments.Assignment( identity=model.Identity.from_bytes('user:[email protected]'), ip_whitelist='bots', comment='some comment', created_ts=utils.utcnow(), created_by=model.Identity.from_bytes('user:[email protected]')), ]) ip_whitelist_assignments.put() captured_state, snapshot = replication.new_auth_db_snapshot() expected_state = { 'auth_db_rev': 123, 'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1), 'primary_id': u'blah', 'primary_url': u'https://blah', } self.assertEqual(expected_state, captured_state.to_dict()) expected_snapshot = { 'global_config': { '__id__': 'root', '__parent__': None, 'auth_db_rev': None, 'auth_db_prev_rev': None, 'modified_by': model.Identity(kind='user', name='*****@*****.**'), 'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1), 'oauth_additional_client_ids': [u'a', u'b'], 'oauth_client_id': u'oauth_client_id', 'oauth_client_secret': u'oauth_client_secret', }, 'groups': [ { '__id__': 'Another group', '__parent__': ndb.Key('AuthGlobalConfig', 'root'), 'auth_db_rev': None, 'auth_db_prev_rev': None, 'created_by': None, 'created_ts': None, 'description': u'', 'globs': [], 'members': [], 'modified_by': None, 'modified_ts': None, 'nested': [u'Some group'], 'owners': u'administrators', }, { '__id__': 'Some group', '__parent__': ndb.Key('AuthGlobalConfig', 'root'), 'auth_db_rev': None, 'auth_db_prev_rev': None, 'created_by': model.Identity(kind='user', name='*****@*****.**'), 'created_ts': datetime.datetime(2014, 1, 1, 1, 1, 1), 'description': u'Some description', 'globs': [model.IdentityGlob(kind='user', pattern='*@example.com')], 'members': [model.Identity(kind='user', name='*****@*****.**')], 'modified_by': model.Identity( kind='user', name='*****@*****.**'), 'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1), 'nested': [], 'owners': u'owning-group', }, ], 'secrets': [ { '__id__': 'global_secret', '__parent__': ndb.Key( 'AuthGlobalConfig', 'root', 'AuthSecretScope', 'global'), 'modified_by': model.Identity( kind='user', name='*****@*****.**'), 'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1), 'values': ['1234', '5678'], }, ], 'ip_whitelists': [ { '__id__': 'bots', '__parent__': ndb.Key('AuthGlobalConfig', 'root'), 'auth_db_rev': None, 'auth_db_prev_rev': None, 'created_by': model.Identity(kind='user', name='*****@*****.**'), 'created_ts': datetime.datetime(2014, 1, 1, 1, 1, 1), 'description': u'Some description', 'modified_by': model.Identity( kind='user', name='*****@*****.**'), 'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1), 'subnets': [u'127.0.0.1/32'], }, ], 'ip_whitelist_assignments': { '__id__': 'default', '__parent__': ndb.Key('AuthGlobalConfig', 'root'), 'assignments': [ { 'comment': u'some comment', 'created_by': model.Identity( kind='user', name='*****@*****.**'), 'created_ts': datetime.datetime(2014, 1, 1, 1, 1, 1), 'identity': model.Identity( kind='user', name='*****@*****.**'), 'ip_whitelist': u'bots', }, ], 'auth_db_rev': None, 'auth_db_prev_rev': None, 'modified_by': model.Identity(kind='user', name='*****@*****.**'), 'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1), }, } self.assertEqual(expected_snapshot, snapshot_to_dict(snapshot))
def group(name, **kwargs): return model.AuthGroup( key=model.group_key(name), created_ts=utils.utcnow(), modified_ts=utils.utcnow(), **kwargs)
def test_list_group(self): def list_group(groups, group, recursive): l = api.AuthDB(groups=groups).list_group(group, recursive) return api.GroupListing(sorted(l.members), sorted(l.globs), sorted(l.nested)) grp_1 = model.AuthGroup(id='1') grp_1.members.extend([ model.Identity(model.IDENTITY_USER, '*****@*****.**'), model.Identity(model.IDENTITY_USER, '*****@*****.**'), ]) grp_1.globs.extend([ model.IdentityGlob(model.IDENTITY_USER, '*@a.example.com'), model.IdentityGlob(model.IDENTITY_USER, '*@b.example.com'), ]) grp_2 = model.AuthGroup(id='2') grp_2.nested.append('1') grp_2.members.extend([ # Specify 'b' again, even though it's in a nested group. model.Identity(model.IDENTITY_USER, '*****@*****.**'), model.Identity(model.IDENTITY_USER, '*****@*****.**'), ]) grp_2.globs.extend([ # Specify '*@b.example.com' again, even though it's in a nested group. model.IdentityGlob(model.IDENTITY_USER, '*@b.example.com'), model.IdentityGlob(model.IDENTITY_USER, '*@c.example.com'), ]) # Unknown group. empty = api.GroupListing([], [], []) self.assertEqual(empty, list_group([grp_1, grp_2], 'blah', False)) self.assertEqual(empty, list_group([grp_1, grp_2], 'blah', True)) # Non recursive. expected = api.GroupListing( members=[ model.Identity(model.IDENTITY_USER, '*****@*****.**'), model.Identity(model.IDENTITY_USER, '*****@*****.**'), ], globs=[ model.IdentityGlob(model.IDENTITY_USER, '*@b.example.com'), model.IdentityGlob(model.IDENTITY_USER, '*@c.example.com'), ], nested=['1']) self.assertEqual(expected, list_group([grp_1, grp_2], '2', False)) # Recursive. expected = api.GroupListing( members=[ model.Identity(model.IDENTITY_USER, '*****@*****.**'), model.Identity(model.IDENTITY_USER, '*****@*****.**'), model.Identity(model.IDENTITY_USER, '*****@*****.**'), ], globs=[ model.IdentityGlob(model.IDENTITY_USER, '*@a.example.com'), model.IdentityGlob(model.IDENTITY_USER, '*@b.example.com'), model.IdentityGlob(model.IDENTITY_USER, '*@c.example.com'), ], nested=['1']) self.assertEqual(expected, list_group([grp_1, grp_2], '2', True))
def group(name, **kwargs): return model.AuthGroup(key=model.group_key(name), **kwargs)