def test_equality(self): # IdentityGlobs are compared by values, not by reference. glob1 = model.IdentityGlob(model.IDENTITY_USER, '*@example.com') glob2 = model.IdentityGlob(model.IDENTITY_USER, '*@example.com') glob3 = model.IdentityGlob(model.IDENTITY_USER, '*[email protected]') self.assertEqual(glob1, glob2) self.assertNotEqual(glob1, glob3) # Verify that adding extra attribute doesn't change equality relation. glob1.extra = 1 glob2.extra = 2 self.assertEqual(glob1, glob2)
def test_match(self): glob = model.IdentityGlob(model.IDENTITY_USER, '*@example.com') self.assertTrue( glob.match(model.Identity(model.IDENTITY_USER, '*****@*****.**'))) self.assertFalse( glob.match(model.Identity(model.IDENTITY_BOT, '*****@*****.**'))) self.assertFalse( glob.match(model.Identity(model.IDENTITY_USER, '*****@*****.**')))
def test_immutable(self): # See comment in IdentityTest.test_immutable regarding existing hole in # immutability. glob = model.IdentityGlob(model.IDENTITY_USER, '*@example.com') self.assertTrue(isinstance(glob, tuple)) with self.assertRaises(AttributeError): glob.kind = model.IDENTITY_USER with self.assertRaises(AttributeError): glob.pattern = '*@example.com'
def test_validation(self): # Unicode with ASCII data is ok. ok_globs = ( (unicode(model.IDENTITY_USER), '*@example.com'), (model.IDENTITY_USER, u'*@example.com'), ) for kind, pattern in ok_globs: glob = model.IdentityGlob(kind, pattern) # Should be 'str', not 'unicode' self.assertEqual(type(glob.kind), str) self.assertEqual(type(glob.pattern), str) # And data should match. self.assertEqual(kind, glob.kind) self.assertEqual(pattern, glob.pattern) # Nasty stuff. bad_globs = (('unknown-kind', '*@example.com'), (model.IDENTITY_USER, ''), (model.IDENTITY_USER, u'\u043f\u0440\u0438\u0432\u0435\u0442')) for kind, pattern in bad_globs: with self.assertRaises(ValueError): model.IdentityGlob(kind, pattern)
def test_serialization(self): # IdentityGlob object goes through serialize-deserialize process unchanged. glob = model.IdentityGlob(model.IDENTITY_USER, '*@example.com') self.assertEqual(glob, model.IdentityGlob.from_bytes(glob.to_bytes())) # Malformed data causes ValueError. bad_cases = ( '', 'user*@example.com', 'user:'******':*@example.com', ) for case in bad_cases: with self.assertRaises(ValueError): model.IdentityGlob.from_bytes(case)
def test_is_group_member(self): # Test identity. joe = model.Identity(model.IDENTITY_USER, '*****@*****.**') # Group that includes joe via glob. with_glob = model.AuthGroup(id='WithGlob') with_glob.globs.append( model.IdentityGlob(model.IDENTITY_USER, '*@example.com')) # Group that includes joe via explicit listing. with_listing = model.AuthGroup(id='WithListing') with_listing.members.append(joe) # Group that includes joe via nested group. with_nesting = model.AuthGroup(id='WithNesting') with_nesting.nested.append('WithListing') # Creates AuthDB with given list of groups and then runs the check. is_member = (lambda groups, identity, group: api.AuthDB(groups=groups). is_group_member(group, identity)) # Wildcard group includes everyone (even anonymous). self.assertTrue(is_member([], joe, '*')) self.assertTrue(is_member([], model.Anonymous, '*')) # An unknown group includes nobody. self.assertFalse(is_member([], joe, 'Missing')) self.assertFalse(is_member([], model.Anonymous, 'Missing')) # Globs are respected. self.assertTrue(is_member([with_glob], joe, 'WithGlob')) self.assertFalse(is_member([with_glob], model.Anonymous, 'WithGlob')) # Members lists are respected. self.assertTrue(is_member([with_listing], joe, 'WithListing')) self.assertFalse( is_member([with_listing], model.Anonymous, 'WithListing')) # Nested groups are respected. self.assertTrue( is_member([with_nesting, with_listing], joe, 'WithNesting')) self.assertFalse( is_member([with_nesting, with_listing], model.Anonymous, 'WithNesting'))
def test_non_empty(self): self.mock_now(datetime.datetime(2014, 1, 1, 1, 1, 1)) state = model.AuthReplicationState( key=model.replication_state_key(), primary_id='blah', primary_url='https://blah', auth_db_rev=123) state.put() global_config = model.AuthGlobalConfig( key=model.root_key(), modified_ts=utils.utcnow(), modified_by=model.Identity.from_bytes('user:[email protected]'), oauth_client_id='oauth_client_id', oauth_client_secret='oauth_client_secret', oauth_additional_client_ids=['a', 'b']) global_config.put() group = model.AuthGroup( key=model.group_key('Some group'), members=[model.Identity.from_bytes('user:[email protected]')], globs=[model.IdentityGlob.from_bytes('user:*@example.com')], nested=[], description='Some description', owners='owning-group', created_ts=utils.utcnow(), created_by=model.Identity.from_bytes('user:[email protected]'), modified_ts=utils.utcnow(), modified_by=model.Identity.from_bytes('user:[email protected]')) group.put() another = model.AuthGroup( key=model.group_key('Another group'), nested=['Some group']) another.put() global_secret = model.AuthSecret( id='global_secret', parent=model.secret_scope_key('global'), values=['1234', '5678'], modified_ts=utils.utcnow(), modified_by=model.Identity.from_bytes('user:[email protected]')) global_secret.put() # Local secret should not appear in a snapshot. local_secret = model.AuthSecret( id='local_secret', parent=model.secret_scope_key('local'), values=['1234', '5678'], modified_ts=utils.utcnow(), modified_by=model.Identity.from_bytes('user:[email protected]')) local_secret.put() ip_whitelist = model.AuthIPWhitelist( key=model.ip_whitelist_key('bots'), subnets=['127.0.0.1/32'], description='Some description', created_ts=utils.utcnow(), created_by=model.Identity.from_bytes('user:[email protected]'), modified_ts=utils.utcnow(), modified_by=model.Identity.from_bytes('user:[email protected]')) ip_whitelist.put() ip_whitelist_assignments = model.AuthIPWhitelistAssignments( key=model.ip_whitelist_assignments_key(), modified_ts=utils.utcnow(), modified_by=model.Identity.from_bytes('user:[email protected]'), assignments=[ model.AuthIPWhitelistAssignments.Assignment( identity=model.Identity.from_bytes('user:[email protected]'), ip_whitelist='bots', comment='some comment', created_ts=utils.utcnow(), created_by=model.Identity.from_bytes('user:[email protected]')), ]) ip_whitelist_assignments.put() captured_state, snapshot = replication.new_auth_db_snapshot() expected_state = { 'auth_db_rev': 123, 'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1), 'primary_id': u'blah', 'primary_url': u'https://blah', } self.assertEqual(expected_state, captured_state.to_dict()) expected_snapshot = { 'global_config': { '__id__': 'root', '__parent__': None, 'auth_db_rev': None, 'auth_db_prev_rev': None, 'modified_by': model.Identity(kind='user', name='*****@*****.**'), 'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1), 'oauth_additional_client_ids': [u'a', u'b'], 'oauth_client_id': u'oauth_client_id', 'oauth_client_secret': u'oauth_client_secret', }, 'groups': [ { '__id__': 'Another group', '__parent__': ndb.Key('AuthGlobalConfig', 'root'), 'auth_db_rev': None, 'auth_db_prev_rev': None, 'created_by': None, 'created_ts': None, 'description': u'', 'globs': [], 'members': [], 'modified_by': None, 'modified_ts': None, 'nested': [u'Some group'], 'owners': u'administrators', }, { '__id__': 'Some group', '__parent__': ndb.Key('AuthGlobalConfig', 'root'), 'auth_db_rev': None, 'auth_db_prev_rev': None, 'created_by': model.Identity(kind='user', name='*****@*****.**'), 'created_ts': datetime.datetime(2014, 1, 1, 1, 1, 1), 'description': u'Some description', 'globs': [model.IdentityGlob(kind='user', pattern='*@example.com')], 'members': [model.Identity(kind='user', name='*****@*****.**')], 'modified_by': model.Identity( kind='user', name='*****@*****.**'), 'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1), 'nested': [], 'owners': u'owning-group', }, ], 'secrets': [ { '__id__': 'global_secret', '__parent__': ndb.Key( 'AuthGlobalConfig', 'root', 'AuthSecretScope', 'global'), 'modified_by': model.Identity( kind='user', name='*****@*****.**'), 'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1), 'values': ['1234', '5678'], }, ], 'ip_whitelists': [ { '__id__': 'bots', '__parent__': ndb.Key('AuthGlobalConfig', 'root'), 'auth_db_rev': None, 'auth_db_prev_rev': None, 'created_by': model.Identity(kind='user', name='*****@*****.**'), 'created_ts': datetime.datetime(2014, 1, 1, 1, 1, 1), 'description': u'Some description', 'modified_by': model.Identity( kind='user', name='*****@*****.**'), 'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1), 'subnets': [u'127.0.0.1/32'], }, ], 'ip_whitelist_assignments': { '__id__': 'default', '__parent__': ndb.Key('AuthGlobalConfig', 'root'), 'assignments': [ { 'comment': u'some comment', 'created_by': model.Identity( kind='user', name='*****@*****.**'), 'created_ts': datetime.datetime(2014, 1, 1, 1, 1, 1), 'identity': model.Identity( kind='user', name='*****@*****.**'), 'ip_whitelist': u'bots', }, ], 'auth_db_rev': None, 'auth_db_prev_rev': None, 'modified_by': model.Identity(kind='user', name='*****@*****.**'), 'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1), }, } self.assertEqual(expected_snapshot, snapshot_to_dict(snapshot))
def test_groups_log(self): ident_a = model.Identity.from_bytes('user:[email protected]') ident_b = model.Identity.from_bytes('user:[email protected]') glob_a = model.IdentityGlob.from_bytes('user:*@a.com') glob_b = model.IdentityGlob.from_bytes('user:*@b.com') @ndb.transactional def modify(name, commit=True, **kwargs): k = model.group_key(name) e = k.get() if not e: e = model.AuthGroup(key=k, created_by=ident_a, created_ts=utils.utcnow()) e.record_revision(modified_by=ident_a, modified_ts=utils.utcnow(), comment='Comment') e.populate(**kwargs) e.put() if commit: model.replicate_auth_db() @ndb.transactional def remove(name, commit=True): e = model.group_key(name).get() if e: e.record_deletion(modified_by=model.Identity.from_bytes( 'user:[email protected]'), modified_ts=utils.utcnow(), comment='Comment') e.key.delete() if commit: model.replicate_auth_db() modify('A', members=[]) modify('A', members=[ident_a], globs=[glob_a]) modify('B', members=[ident_b], globs=[glob_b]) modify('A', nested=['B']) @ndb.transactional def batch(): modify('B', commit=False, description='Blah') remove('A', commit=True) batch() modify('B', members=[ident_a, ident_b], globs=[glob_a, glob_b]) # Final state. self.assertIsNone(model.group_key('A').get()) self.assertEqual( { 'auth_db_rev': 6, 'auth_db_prev_rev': 5, 'created_by': model.Identity(kind='user', name='*****@*****.**'), 'created_ts': datetime.datetime(2015, 1, 1, 1, 1), 'description': u'Blah', 'globs': [ model.IdentityGlob(kind='user', pattern='*@a.com'), model.IdentityGlob(kind='user', pattern='*@b.com'), ], 'members': [ model.Identity(kind='user', name='*****@*****.**'), model.Identity(kind='user', name='*****@*****.**'), ], 'modified_by': model.Identity(kind='user', name='*****@*****.**'), 'modified_ts': datetime.datetime(2015, 1, 1, 1, 1), 'nested': [], 'owners': u'administrators', }, model.group_key('B').get().to_dict()) # Copies in the history. cpy = lambda name, rev: ndb.Key( 'Rev', rev, 'AuthGroupHistory', name, parent=model.root_key()) self.assertEqual( { cpy('A', 1): { 'auth_db_rev': 1, 'auth_db_prev_rev': None, 'auth_db_app_version': u'v1a', 'auth_db_deleted': False, 'auth_db_change_comment': u'Comment', 'created_by': model.Identity(kind='user', name='*****@*****.**'), 'created_ts': datetime.datetime(2015, 1, 1, 1, 1), 'description': u'', 'globs': [], 'members': [], 'modified_by': model.Identity(kind='user', name='*****@*****.**'), 'modified_ts': datetime.datetime(2015, 1, 1, 1, 1), 'nested': [], 'owners': u'administrators', }, cpy('A', 2): { 'auth_db_rev': 2, 'auth_db_prev_rev': 1, 'auth_db_app_version': u'v1a', 'auth_db_deleted': False, 'auth_db_change_comment': u'Comment', 'created_by': model.Identity(kind='user', name='*****@*****.**'), 'created_ts': datetime.datetime(2015, 1, 1, 1, 1), 'description': u'', 'globs': [glob_a], 'members': [ident_a], 'modified_by': model.Identity(kind='user', name='*****@*****.**'), 'modified_ts': datetime.datetime(2015, 1, 1, 1, 1), 'nested': [], 'owners': u'administrators', }, cpy('B', 3): { 'auth_db_rev': 3, 'auth_db_prev_rev': None, 'auth_db_app_version': u'v1a', 'auth_db_deleted': False, 'auth_db_change_comment': u'Comment', 'created_by': model.Identity(kind='user', name='*****@*****.**'), 'created_ts': datetime.datetime(2015, 1, 1, 1, 1), 'description': u'', 'globs': [glob_b], 'members': [ident_b], 'modified_by': model.Identity(kind='user', name='*****@*****.**'), 'modified_ts': datetime.datetime(2015, 1, 1, 1, 1), 'nested': [], 'owners': u'administrators', }, cpy('A', 4): { 'auth_db_rev': 4, 'auth_db_prev_rev': 2, 'auth_db_app_version': u'v1a', 'auth_db_deleted': False, 'auth_db_change_comment': u'Comment', 'created_by': model.Identity(kind='user', name='*****@*****.**'), 'created_ts': datetime.datetime(2015, 1, 1, 1, 1), 'description': u'', 'globs': [glob_a], 'members': [ident_a], 'modified_by': model.Identity(kind='user', name='*****@*****.**'), 'modified_ts': datetime.datetime(2015, 1, 1, 1, 1), 'nested': [u'B'], 'owners': u'administrators', }, # Batch revision. cpy('A', 5): { 'auth_db_rev': 5, 'auth_db_prev_rev': 4, 'auth_db_app_version': u'v1a', 'auth_db_deleted': True, 'auth_db_change_comment': u'Comment', 'created_by': model.Identity(kind='user', name='*****@*****.**'), 'created_ts': datetime.datetime(2015, 1, 1, 1, 1), 'description': u'', 'globs': [glob_a], 'members': [ident_a], 'modified_by': model.Identity(kind='user', name='*****@*****.**'), 'modified_ts': datetime.datetime(2015, 1, 1, 1, 1), 'nested': [u'B'], 'owners': u'administrators', }, cpy('B', 5): { 'auth_db_rev': 5, 'auth_db_prev_rev': 3, 'auth_db_app_version': u'v1a', 'auth_db_deleted': False, 'auth_db_change_comment': u'Comment', 'created_by': model.Identity(kind='user', name='*****@*****.**'), 'created_ts': datetime.datetime(2015, 1, 1, 1, 1), 'description': u'Blah', 'globs': [glob_b], 'members': [ident_b], 'modified_by': model.Identity(kind='user', name='*****@*****.**'), 'modified_ts': datetime.datetime(2015, 1, 1, 1, 1), 'nested': [], 'owners': u'administrators', }, # /end of batch revision cpy('B', 6): { 'auth_db_rev': 6, 'auth_db_prev_rev': 5, 'auth_db_app_version': u'v1a', 'auth_db_deleted': False, 'auth_db_change_comment': u'Comment', 'created_by': model.Identity(kind='user', name='*****@*****.**'), 'created_ts': datetime.datetime(2015, 1, 1, 1, 1), 'description': u'Blah', 'globs': [glob_a, glob_b], 'members': [ident_a, ident_b], 'modified_by': model.Identity(kind='user', name='*****@*****.**'), 'modified_ts': datetime.datetime(2015, 1, 1, 1, 1), 'nested': [], 'owners': u'administrators', }, }, self.grab_log(model.AuthGroup))
def test_groups_diff(self): def create(): make_group( name='A group', members=[ident('*****@*****.**'), ident('*****@*****.**')], globs=[glob('*@example.com'), glob('*@other.com')], nested=['A', 'B'], description='Blah', comment='New group') changes = self.grab_all(self.auth_db_transaction(create)) self.assertEqual( { 'AuthDBChange:AuthGroup$A group!1000': { 'app_version': u'v1a', 'auth_db_rev': 1, 'change_type': change_log.AuthDBChange.CHANGE_GROUP_CREATED, 'class_': [u'AuthDBChange', u'AuthDBGroupChange'], 'comment': u'New group', 'description': u'Blah', 'owners': u'administrators', 'target': u'AuthGroup$A group', 'when': datetime.datetime(2015, 1, 2, 3, 4, 5), 'who': model.Identity(kind='user', name='*****@*****.**'), }, 'AuthDBChange:AuthGroup$A group!1200': { 'app_version': u'v1a', 'auth_db_rev': 1, 'change_type': change_log.AuthDBChange.CHANGE_GROUP_MEMBERS_ADDED, 'class_': [u'AuthDBChange', u'AuthDBGroupChange'], 'comment': u'New group', 'members': [ model.Identity(kind='user', name='*****@*****.**'), model.Identity(kind='user', name='*****@*****.**'), ], 'target': u'AuthGroup$A group', 'when': datetime.datetime(2015, 1, 2, 3, 4, 5), 'who': model.Identity(kind='user', name='*****@*****.**'), }, 'AuthDBChange:AuthGroup$A group!1400': { 'app_version': u'v1a', 'auth_db_rev': 1, 'change_type': change_log.AuthDBChange.CHANGE_GROUP_GLOBS_ADDED, 'class_': [u'AuthDBChange', u'AuthDBGroupChange'], 'comment': u'New group', 'globs': [ model.IdentityGlob(kind='user', pattern='*@example.com'), model.IdentityGlob(kind='user', pattern='*@other.com'), ], 'target': u'AuthGroup$A group', 'when': datetime.datetime(2015, 1, 2, 3, 4, 5), 'who': model.Identity(kind='user', name='*****@*****.**'), }, 'AuthDBChange:AuthGroup$A group!1600': { 'app_version': u'v1a', 'auth_db_rev': 1, 'change_type': change_log.AuthDBChange.CHANGE_GROUP_NESTED_ADDED, 'class_': [u'AuthDBChange', u'AuthDBGroupChange'], 'comment': u'New group', 'nested': [u'A', u'B'], 'target': u'AuthGroup$A group', 'when': datetime.datetime(2015, 1, 2, 3, 4, 5), 'who': model.Identity(kind='user', name='*****@*****.**'), }, }, changes) def modify(): g = model.group_key('A group').get() g.members = [ident('*****@*****.**'), ident('*****@*****.**')] g.globs = [glob('*@example.com'), glob('*@blah.com')] g.nested = ['A', 'C'] g.description = 'Another blah' g.owners = 'another-owners' g.record_revision(modified_by=ident('*****@*****.**'), modified_ts=utils.utcnow(), comment='Changed') g.put() changes = self.grab_all(self.auth_db_transaction(modify)) self.assertEqual( { 'AuthDBChange:AuthGroup$A group!1100': { 'app_version': u'v1a', 'auth_db_rev': 2, 'change_type': change_log.AuthDBChange.CHANGE_GROUP_DESCRIPTION_CHANGED, 'class_': [u'AuthDBChange', u'AuthDBGroupChange'], 'comment': u'Changed', 'description': u'Another blah', 'old_description': u'Blah', 'target': u'AuthGroup$A group', 'when': datetime.datetime(2015, 1, 2, 3, 4, 5), 'who': model.Identity(kind='user', name='*****@*****.**'), }, 'AuthDBChange:AuthGroup$A group!1150': { 'app_version': u'v1a', 'auth_db_rev': 2, 'change_type': change_log.AuthDBChange.CHANGE_GROUP_OWNERS_CHANGED, 'class_': [u'AuthDBChange', u'AuthDBGroupChange'], 'comment': u'Changed', 'old_owners': u'administrators', 'owners': u'another-owners', 'target': u'AuthGroup$A group', 'when': datetime.datetime(2015, 1, 2, 3, 4, 5), 'who': model.Identity(kind='user', name='*****@*****.**'), }, 'AuthDBChange:AuthGroup$A group!1200': { 'app_version': u'v1a', 'auth_db_rev': 2, 'change_type': change_log.AuthDBChange.CHANGE_GROUP_MEMBERS_ADDED, 'class_': [u'AuthDBChange', u'AuthDBGroupChange'], 'comment': u'Changed', 'members': [model.Identity(kind='user', name='*****@*****.**')], 'target': u'AuthGroup$A group', 'when': datetime.datetime(2015, 1, 2, 3, 4, 5), 'who': model.Identity(kind='user', name='*****@*****.**'), }, 'AuthDBChange:AuthGroup$A group!1300': { 'app_version': u'v1a', 'auth_db_rev': 2, 'change_type': change_log.AuthDBChange.CHANGE_GROUP_MEMBERS_REMOVED, 'class_': [u'AuthDBChange', u'AuthDBGroupChange'], 'comment': u'Changed', 'members': [model.Identity(kind='user', name='*****@*****.**')], 'target': u'AuthGroup$A group', 'when': datetime.datetime(2015, 1, 2, 3, 4, 5), 'who': model.Identity(kind='user', name='*****@*****.**'), }, 'AuthDBChange:AuthGroup$A group!1400': { 'app_version': u'v1a', 'auth_db_rev': 2, 'change_type': change_log.AuthDBChange.CHANGE_GROUP_GLOBS_ADDED, 'class_': [u'AuthDBChange', u'AuthDBGroupChange'], 'comment': u'Changed', 'globs': [model.IdentityGlob(kind='user', pattern='*@blah.com')], 'target': u'AuthGroup$A group', 'when': datetime.datetime(2015, 1, 2, 3, 4, 5), 'who': model.Identity(kind='user', name='*****@*****.**'), }, 'AuthDBChange:AuthGroup$A group!1500': { 'app_version': u'v1a', 'auth_db_rev': 2, 'change_type': change_log.AuthDBChange.CHANGE_GROUP_GLOBS_REMOVED, 'class_': [u'AuthDBChange', u'AuthDBGroupChange'], 'comment': u'Changed', 'globs': [model.IdentityGlob(kind='user', pattern='*@other.com')], 'target': u'AuthGroup$A group', 'when': datetime.datetime(2015, 1, 2, 3, 4, 5), 'who': model.Identity(kind='user', name='*****@*****.**'), }, 'AuthDBChange:AuthGroup$A group!1600': { 'app_version': u'v1a', 'auth_db_rev': 2, 'change_type': change_log.AuthDBChange.CHANGE_GROUP_NESTED_ADDED, 'class_': [u'AuthDBChange', u'AuthDBGroupChange'], 'comment': u'Changed', 'nested': [u'C'], 'target': u'AuthGroup$A group', 'when': datetime.datetime(2015, 1, 2, 3, 4, 5), 'who': model.Identity(kind='user', name='*****@*****.**'), }, 'AuthDBChange:AuthGroup$A group!1700': { 'app_version': u'v1a', 'auth_db_rev': 2, 'change_type': change_log.AuthDBChange.CHANGE_GROUP_NESTED_REMOVED, 'class_': [u'AuthDBChange', u'AuthDBGroupChange'], 'comment': u'Changed', 'nested': [u'B'], 'target': u'AuthGroup$A group', 'when': datetime.datetime(2015, 1, 2, 3, 4, 5), 'who': model.Identity(kind='user', name='*****@*****.**'), }, }, changes) def delete(): g = model.group_key('A group').get() g.record_deletion(modified_by=ident('*****@*****.**'), modified_ts=utils.utcnow(), comment='Deleted') g.key.delete() changes = self.grab_all(self.auth_db_transaction(delete)) self.assertEqual( { 'AuthDBChange:AuthGroup$A group!1300': { 'app_version': u'v1a', 'auth_db_rev': 3, 'change_type': change_log.AuthDBChange.CHANGE_GROUP_MEMBERS_REMOVED, 'class_': [u'AuthDBChange', u'AuthDBGroupChange'], 'comment': u'Deleted', 'members': [ model.Identity(kind='user', name='*****@*****.**'), model.Identity(kind='user', name='*****@*****.**'), ], 'target': u'AuthGroup$A group', 'when': datetime.datetime(2015, 1, 2, 3, 4, 5), 'who': model.Identity(kind='user', name='*****@*****.**'), }, 'AuthDBChange:AuthGroup$A group!1500': { 'app_version': u'v1a', 'auth_db_rev': 3, 'change_type': change_log.AuthDBChange.CHANGE_GROUP_GLOBS_REMOVED, 'class_': [u'AuthDBChange', u'AuthDBGroupChange'], 'comment': u'Deleted', 'globs': [ model.IdentityGlob(kind='user', pattern='*@example.com'), model.IdentityGlob(kind='user', pattern='*@blah.com'), ], 'target': u'AuthGroup$A group', 'when': datetime.datetime(2015, 1, 2, 3, 4, 5), 'who': model.Identity(kind='user', name='*****@*****.**'), }, 'AuthDBChange:AuthGroup$A group!1700': { 'app_version': u'v1a', 'auth_db_rev': 3, 'change_type': change_log.AuthDBChange.CHANGE_GROUP_NESTED_REMOVED, 'class_': [u'AuthDBChange', u'AuthDBGroupChange'], 'comment': u'Deleted', 'nested': [u'A', u'C'], 'target': u'AuthGroup$A group', 'when': datetime.datetime(2015, 1, 2, 3, 4, 5), 'who': model.Identity(kind='user', name='*****@*****.**'), }, 'AuthDBChange:AuthGroup$A group!1800': { 'app_version': u'v1a', 'auth_db_rev': 3, 'change_type': change_log.AuthDBChange.CHANGE_GROUP_DELETED, 'class_': [u'AuthDBChange', u'AuthDBGroupChange'], 'comment': u'Deleted', 'old_description': u'Another blah', 'old_owners': u'another-owners', 'target': u'AuthGroup$A group', 'when': datetime.datetime(2015, 1, 2, 3, 4, 5), 'who': model.Identity(kind='user', name='*****@*****.**'), }, }, changes)
def test_non_empty(self): self.mock_now(datetime.datetime(2014, 1, 1, 1, 1, 1)) state = model.AuthReplicationState(key=model.replication_state_key(), primary_id='blah', primary_url='https://blah', auth_db_rev=123) state.put() global_config = model.AuthGlobalConfig( key=model.root_key(), modified_ts=utils.utcnow(), modified_by=model.Identity.from_bytes('user:[email protected]'), oauth_client_id='oauth_client_id', oauth_client_secret='oauth_client_secret', oauth_additional_client_ids=['a', 'b'], token_server_url='https://token-server', security_config='security config blob') global_config.put() group = model.AuthGroup( key=model.group_key('Some group'), members=[model.Identity.from_bytes('user:[email protected]')], globs=[model.IdentityGlob.from_bytes('user:*@example.com')], nested=[], description='Some description', owners='owning-group', created_ts=utils.utcnow(), created_by=model.Identity.from_bytes('user:[email protected]'), modified_ts=utils.utcnow(), modified_by=model.Identity.from_bytes('user:[email protected]')) group.put() another = model.AuthGroup(key=model.group_key('Another group'), nested=['Some group']) another.put() ip_whitelist = model.AuthIPWhitelist( key=model.ip_whitelist_key('bots'), subnets=['127.0.0.1/32'], description='Some description', created_ts=utils.utcnow(), created_by=model.Identity.from_bytes('user:[email protected]'), modified_ts=utils.utcnow(), modified_by=model.Identity.from_bytes('user:[email protected]')) ip_whitelist.put() ip_whitelist_assignments = model.AuthIPWhitelistAssignments( key=model.ip_whitelist_assignments_key(), modified_ts=utils.utcnow(), modified_by=model.Identity.from_bytes('user:[email protected]'), assignments=[ model.AuthIPWhitelistAssignments.Assignment( identity=model.Identity.from_bytes( 'user:[email protected]'), ip_whitelist='bots', comment='some comment', created_ts=utils.utcnow(), created_by=model.Identity.from_bytes( 'user:[email protected]')), ]) ip_whitelist_assignments.put() realms_globals = model.AuthRealmsGlobals( key=model.realms_globals_key(), permissions=[ realms_pb2.Permission(name='luci.dev.p1'), realms_pb2.Permission(name='luci.dev.p2'), ]) realms_globals.put() model.AuthProjectRealms(key=model.project_realms_key('proj_id1'), realms=realms_pb2.Realms(api_version=1234), config_rev='rev1', perms_rev='rev1').put() model.AuthProjectRealms(key=model.project_realms_key('proj_id2'), realms=realms_pb2.Realms(api_version=1234), config_rev='rev2', perms_rev='rev2').put() captured_state, snapshot = replication.new_auth_db_snapshot() expected_state = { 'auth_db_rev': 123, 'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1), 'primary_id': u'blah', 'primary_url': u'https://blah', 'shard_ids': [], } self.assertEqual(expected_state, captured_state.to_dict()) expected_snapshot = { 'global_config': { '__id__': 'root', '__parent__': None, 'auth_db_rev': None, 'auth_db_prev_rev': None, 'modified_by': model.Identity(kind='user', name='*****@*****.**'), 'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1), 'oauth_additional_client_ids': [u'a', u'b'], 'oauth_client_id': u'oauth_client_id', 'oauth_client_secret': u'oauth_client_secret', 'security_config': 'security config blob', 'token_server_url': u'https://token-server', }, 'groups': [ { '__id__': 'Another group', '__parent__': ndb.Key('AuthGlobalConfig', 'root'), 'auth_db_rev': None, 'auth_db_prev_rev': None, 'created_by': None, 'created_ts': None, 'description': u'', 'globs': [], 'members': [], 'modified_by': None, 'modified_ts': None, 'nested': [u'Some group'], 'owners': u'administrators', }, { '__id__': 'Some group', '__parent__': ndb.Key('AuthGlobalConfig', 'root'), 'auth_db_rev': None, 'auth_db_prev_rev': None, 'created_by': model.Identity(kind='user', name='*****@*****.**'), 'created_ts': datetime.datetime(2014, 1, 1, 1, 1, 1), 'description': u'Some description', 'globs': [model.IdentityGlob(kind='user', pattern='*@example.com')], 'members': [model.Identity(kind='user', name='*****@*****.**')], 'modified_by': model.Identity(kind='user', name='*****@*****.**'), 'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1), 'nested': [], 'owners': u'owning-group', }, ], 'ip_whitelists': [ { '__id__': 'bots', '__parent__': ndb.Key('AuthGlobalConfig', 'root'), 'auth_db_rev': None, 'auth_db_prev_rev': None, 'created_by': model.Identity(kind='user', name='*****@*****.**'), 'created_ts': datetime.datetime(2014, 1, 1, 1, 1, 1), 'description': u'Some description', 'modified_by': model.Identity(kind='user', name='*****@*****.**'), 'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1), 'subnets': [u'127.0.0.1/32'], }, ], 'ip_whitelist_assignments': { '__id__': 'default', '__parent__': ndb.Key('AuthGlobalConfig', 'root'), 'assignments': [ { 'comment': u'some comment', 'created_by': model.Identity(kind='user', name='*****@*****.**'), 'created_ts': datetime.datetime(2014, 1, 1, 1, 1, 1), 'identity': model.Identity(kind='user', name='*****@*****.**'), 'ip_whitelist': u'bots', }, ], 'auth_db_rev': None, 'auth_db_prev_rev': None, 'modified_by': model.Identity(kind='user', name='*****@*****.**'), 'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1), }, 'realms_globals': { '__id__': 'globals', '__parent__': ndb.Key('AuthGlobalConfig', 'root'), 'auth_db_prev_rev': None, 'auth_db_rev': None, 'modified_by': None, 'modified_ts': None, 'permissions': [ realms_pb2.Permission(name='luci.dev.p1'), realms_pb2.Permission(name='luci.dev.p2'), ], }, 'project_realms': [{ '__id__': 'proj_id1', '__parent__': ndb.Key('AuthGlobalConfig', 'root'), 'auth_db_prev_rev': None, 'auth_db_rev': None, 'config_rev': u'rev1', 'perms_rev': u'rev1', 'modified_by': None, 'modified_ts': None, 'realms': realms_pb2.Realms(api_version=1234), }, { '__id__': 'proj_id2', '__parent__': ndb.Key('AuthGlobalConfig', 'root'), 'auth_db_prev_rev': None, 'auth_db_rev': None, 'config_rev': u'rev2', 'perms_rev': u'rev2', 'modified_by': None, 'modified_ts': None, 'realms': realms_pb2.Realms(api_version=1234), }], } self.assertEqual(expected_snapshot, snapshot_to_dict(snapshot))
def test_list_group(self): def list_group(groups, group, recursive): l = api.AuthDB(groups=groups).list_group(group, recursive) return api.GroupListing(sorted(l.members), sorted(l.globs), sorted(l.nested)) grp_1 = model.AuthGroup(id='1') grp_1.members.extend([ model.Identity(model.IDENTITY_USER, '*****@*****.**'), model.Identity(model.IDENTITY_USER, '*****@*****.**'), ]) grp_1.globs.extend([ model.IdentityGlob(model.IDENTITY_USER, '*@a.example.com'), model.IdentityGlob(model.IDENTITY_USER, '*@b.example.com'), ]) grp_2 = model.AuthGroup(id='2') grp_2.nested.append('1') grp_2.members.extend([ # Specify 'b' again, even though it's in a nested group. model.Identity(model.IDENTITY_USER, '*****@*****.**'), model.Identity(model.IDENTITY_USER, '*****@*****.**'), ]) grp_2.globs.extend([ # Specify '*@b.example.com' again, even though it's in a nested group. model.IdentityGlob(model.IDENTITY_USER, '*@b.example.com'), model.IdentityGlob(model.IDENTITY_USER, '*@c.example.com'), ]) # Unknown group. empty = api.GroupListing([], [], []) self.assertEqual(empty, list_group([grp_1, grp_2], 'blah', False)) self.assertEqual(empty, list_group([grp_1, grp_2], 'blah', True)) # Non recursive. expected = api.GroupListing( members=[ model.Identity(model.IDENTITY_USER, '*****@*****.**'), model.Identity(model.IDENTITY_USER, '*****@*****.**'), ], globs=[ model.IdentityGlob(model.IDENTITY_USER, '*@b.example.com'), model.IdentityGlob(model.IDENTITY_USER, '*@c.example.com'), ], nested=['1']) self.assertEqual(expected, list_group([grp_1, grp_2], '2', False)) # Recursive. expected = api.GroupListing( members=[ model.Identity(model.IDENTITY_USER, '*****@*****.**'), model.Identity(model.IDENTITY_USER, '*****@*****.**'), model.Identity(model.IDENTITY_USER, '*****@*****.**'), ], globs=[ model.IdentityGlob(model.IDENTITY_USER, '*@a.example.com'), model.IdentityGlob(model.IDENTITY_USER, '*@b.example.com'), model.IdentityGlob(model.IDENTITY_USER, '*@c.example.com'), ], nested=['1']) self.assertEqual(expected, list_group([grp_1, grp_2], '2', True))