def configure_as_replica(auth_db_rev=0, modified_ts=None):
state = model.AuthReplicationState(key=model.replication_state_key(),
primary_id='primary',
primary_url='https://primary',
auth_db_rev=auth_db_rev,
modified_ts=modified_ts)
state.put()
def configure_as_replica(auth_db_rev=0, modified_ts=None):
state = model.AuthReplicationState(
key=model.replication_state_key(),
primary_id='primary',
primary_url='https://primary',
auth_db_rev=auth_db_rev,
modified_ts=modified_ts)
state.put()
def test_non_empty(self):
self.mock_now(datetime.datetime(2014, 1, 1, 1, 1, 1))
state = model.AuthReplicationState(
key=model.replication_state_key(),
primary_id='blah',
primary_url='https://blah',
auth_db_rev=123)
state.put()
global_config = model.AuthGlobalConfig(
key=model.root_key(),
modified_ts=utils.utcnow(),
modified_by=model.Identity.from_bytes('user:[email protected]'),
oauth_client_id='oauth_client_id',
oauth_client_secret='oauth_client_secret',
oauth_additional_client_ids=['a', 'b'])
global_config.put()
group = model.AuthGroup(
key=model.group_key('Some group'),
members=[model.Identity.from_bytes('user:[email protected]')],
globs=[model.IdentityGlob.from_bytes('user:*@example.com')],
nested=[],
description='Some description',
created_ts=utils.utcnow(),
created_by=model.Identity.from_bytes('user:[email protected]'),
modified_ts=utils.utcnow(),
modified_by=model.Identity.from_bytes('user:[email protected]'))
group.put()
another = model.AuthGroup(
key=model.group_key('Another group'),
nested=['Some group'])
another.put()
global_secret = model.AuthSecret(
id='global_secret',
parent=model.secret_scope_key('global'),
values=['1234', '5678'],
modified_ts=utils.utcnow(),
modified_by=model.Identity.from_bytes('user:[email protected]'))
global_secret.put()
# Local secret should not appear in a snapshot.
local_secret = model.AuthSecret(
id='local_secret',
parent=model.secret_scope_key('local'),
values=['1234', '5678'],
modified_ts=utils.utcnow(),
modified_by=model.Identity.from_bytes('user:[email protected]'))
local_secret.put()
ip_whitelist = model.AuthIPWhitelist(
key=model.ip_whitelist_key('bots'),
subnets=['127.0.0.1/32'],
description='Some description',
created_ts=utils.utcnow(),
created_by=model.Identity.from_bytes('user:[email protected]'),
modified_ts=utils.utcnow(),
modified_by=model.Identity.from_bytes('user:[email protected]'))
ip_whitelist.put()
ip_whitelist_assignments = model.AuthIPWhitelistAssignments(
key=model.ip_whitelist_assignments_key(),
modified_ts=utils.utcnow(),
modified_by=model.Identity.from_bytes('user:[email protected]'),
assignments=[
model.AuthIPWhitelistAssignments.Assignment(
identity=model.Identity.from_bytes('user:[email protected]'),
ip_whitelist='bots',
comment='some comment',
created_ts=utils.utcnow(),
created_by=model.Identity.from_bytes('user:[email protected]')),
])
ip_whitelist_assignments.put()
captured_state, snapshot = replication.new_auth_db_snapshot()
expected_state = {
'auth_db_rev': 123,
'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1),
'primary_id': u'blah',
'primary_url': u'https://blah',
}
self.assertEqual(expected_state, captured_state.to_dict())
expected_snapshot = {
'global_config': {
'__id__': 'root',
'__parent__': None,
'auth_db_rev': None,
'auth_db_prev_rev': None,
'modified_by': model.Identity(kind='user', name='*****@*****.**'),
'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1),
'oauth_additional_client_ids': [u'a', u'b'],
'oauth_client_id': u'oauth_client_id',
'oauth_client_secret': u'oauth_client_secret',
},
'groups': [
{
'__id__': 'Another group',
'__parent__': ndb.Key('AuthGlobalConfig', 'root'),
'auth_db_rev': None,
'auth_db_prev_rev': None,
'created_by': None,
'created_ts': None,
'description': '',
'globs': [],
'members': [],
'modified_by': None,
'modified_ts': None,
'nested': [u'Some group'],
},
{
'__id__': 'Some group',
'__parent__': ndb.Key('AuthGlobalConfig', 'root'),
'auth_db_rev': None,
'auth_db_prev_rev': None,
'created_by': model.Identity(kind='user', name='*****@*****.**'),
'created_ts': datetime.datetime(2014, 1, 1, 1, 1, 1),
'description': u'Some description',
'globs': [model.IdentityGlob(kind='user', pattern='*@example.com')],
'members': [model.Identity(kind='user', name='*****@*****.**')],
'modified_by': model.Identity(
kind='user', name='*****@*****.**'),
'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1),
'nested': [],
},
],
'secrets': [
{
'__id__': 'global_secret',
'__parent__': ndb.Key(
'AuthGlobalConfig', 'root', 'AuthSecretScope', 'global'),
'modified_by': model.Identity(
kind='user', name='*****@*****.**'),
'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1),
'values': ['1234', '5678'],
},
],
'ip_whitelists': [
{
'__id__': 'bots',
'__parent__': ndb.Key('AuthGlobalConfig', 'root'),
'auth_db_rev': None,
'auth_db_prev_rev': None,
'created_by': model.Identity(kind='user', name='*****@*****.**'),
'created_ts': datetime.datetime(2014, 1, 1, 1, 1, 1),
'description': u'Some description',
'modified_by': model.Identity(
kind='user', name='*****@*****.**'),
'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1),
'subnets': ['127.0.0.1/32'],
},
],
'ip_whitelist_assignments': {
'__id__': 'default',
'__parent__': ndb.Key('AuthGlobalConfig', 'root'),
'assignments': [
{
'comment': 'some comment',
'created_by': model.Identity(
kind='user', name='*****@*****.**'),
'created_ts': datetime.datetime(2014, 1, 1, 1, 1, 1),
'identity': model.Identity(
kind='user', name='*****@*****.**'),
'ip_whitelist': 'bots',
},
],
'auth_db_rev': None,
'auth_db_prev_rev': None,
'modified_by': model.Identity(kind='user', name='*****@*****.**'),
'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1),
},
}
self.assertEqual(expected_snapshot, snapshot_to_dict(snapshot))
def test_success(self):
self.mock_now(datetime.datetime(2015, 1, 1))
def totimestamp(datetimeobj):
return utils.datetime_to_timestamp(datetimeobj) / 10**6
@ndb.tasklet
def urlfetch(url, payload, **_rest):
urlfetch.called = True
self.assertEqual(
url,
'https://tokens.example.com/prpc/tokenserver.minter.TokenMinter/'
'MintProjectToken')
payload = json.loads(payload)
self.assertEqual(payload, urlfetch.expected_payload)
expiry = utils.utcnow() + datetime.timedelta(seconds=1800)
res = {
'accessToken': 'deadbeef',
'serviceAccountEmail': '*****@*****.**',
'expiry': expiry.isoformat('T') + 'Z',
}
raise ndb.Return(
self.Response(200, json.dumps(res, sort_keys=True)))
urlfetch.expected_payload = {
u'luci_project': u'test-project',
u'oauth_scope': [
u'https://www.googleapis.com/auth/cloud-platform',
],
u'min_validity_duration': 300,
u'audit_tags': [],
}
urlfetch.called = False
self.mock(service_account, '_urlfetch_async', urlfetch)
model.AuthReplicationState(
key=model.replication_state_key(),
primary_url='https://auth.example.com',
primary_id='example-app-id',
).put()
model.AuthGlobalConfig(
key=model.root_key(),
token_server_url='https://tokens.example.com',
).put()
args = {
'project_id': 'test-project',
'oauth_scopes': [
u'https://www.googleapis.com/auth/cloud-platform',
],
'min_validity_duration_sec': 300,
'auth_request_func': service_account.authenticated_request_async,
}
result = project_tokens.project_token(**args)
self.assertTrue(urlfetch.called)
self.assertEqual(result['access_token'], 'deadbeef')
self.assertEqual(
result['exp_ts'],
totimestamp(utils.utcnow() + datetime.timedelta(seconds=1800)))
def test_non_empty(self):
self.mock_now(datetime.datetime(2014, 1, 1, 1, 1, 1))
state = model.AuthReplicationState(
key=model.replication_state_key(),
primary_id='blah',
primary_url='https://blah',
auth_db_rev=123)
state.put()
global_config = model.AuthGlobalConfig(
key=model.root_key(),
modified_ts=utils.utcnow(),
modified_by=model.Identity.from_bytes('user:[email protected]'),
oauth_client_id='oauth_client_id',
oauth_client_secret='oauth_client_secret',
oauth_additional_client_ids=['a', 'b'])
global_config.put()
group = model.AuthGroup(
key=model.group_key('Some group'),
members=[model.Identity.from_bytes('user:[email protected]')],
globs=[model.IdentityGlob.from_bytes('user:*@example.com')],
nested=[],
description='Some description',
owners='owning-group',
created_ts=utils.utcnow(),
created_by=model.Identity.from_bytes('user:[email protected]'),
modified_ts=utils.utcnow(),
modified_by=model.Identity.from_bytes('user:[email protected]'))
group.put()
another = model.AuthGroup(
key=model.group_key('Another group'),
nested=['Some group'])
another.put()
global_secret = model.AuthSecret(
id='global_secret',
parent=model.secret_scope_key('global'),
values=['1234', '5678'],
modified_ts=utils.utcnow(),
modified_by=model.Identity.from_bytes('user:[email protected]'))
global_secret.put()
# Local secret should not appear in a snapshot.
local_secret = model.AuthSecret(
id='local_secret',
parent=model.secret_scope_key('local'),
values=['1234', '5678'],
modified_ts=utils.utcnow(),
modified_by=model.Identity.from_bytes('user:[email protected]'))
local_secret.put()
ip_whitelist = model.AuthIPWhitelist(
key=model.ip_whitelist_key('bots'),
subnets=['127.0.0.1/32'],
description='Some description',
created_ts=utils.utcnow(),
created_by=model.Identity.from_bytes('user:[email protected]'),
modified_ts=utils.utcnow(),
modified_by=model.Identity.from_bytes('user:[email protected]'))
ip_whitelist.put()
ip_whitelist_assignments = model.AuthIPWhitelistAssignments(
key=model.ip_whitelist_assignments_key(),
modified_ts=utils.utcnow(),
modified_by=model.Identity.from_bytes('user:[email protected]'),
assignments=[
model.AuthIPWhitelistAssignments.Assignment(
identity=model.Identity.from_bytes('user:[email protected]'),
ip_whitelist='bots',
comment='some comment',
created_ts=utils.utcnow(),
created_by=model.Identity.from_bytes('user:[email protected]')),
])
ip_whitelist_assignments.put()
captured_state, snapshot = replication.new_auth_db_snapshot()
expected_state = {
'auth_db_rev': 123,
'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1),
'primary_id': u'blah',
'primary_url': u'https://blah',
}
self.assertEqual(expected_state, captured_state.to_dict())
expected_snapshot = {
'global_config': {
'__id__': 'root',
'__parent__': None,
'auth_db_rev': None,
'auth_db_prev_rev': None,
'modified_by': model.Identity(kind='user', name='*****@*****.**'),
'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1),
'oauth_additional_client_ids': [u'a', u'b'],
'oauth_client_id': u'oauth_client_id',
'oauth_client_secret': u'oauth_client_secret',
},
'groups': [
{
'__id__': 'Another group',
'__parent__': ndb.Key('AuthGlobalConfig', 'root'),
'auth_db_rev': None,
'auth_db_prev_rev': None,
'created_by': None,
'created_ts': None,
'description': u'',
'globs': [],
'members': [],
'modified_by': None,
'modified_ts': None,
'nested': [u'Some group'],
'owners': u'administrators',
},
{
'__id__': 'Some group',
'__parent__': ndb.Key('AuthGlobalConfig', 'root'),
'auth_db_rev': None,
'auth_db_prev_rev': None,
'created_by': model.Identity(kind='user', name='*****@*****.**'),
'created_ts': datetime.datetime(2014, 1, 1, 1, 1, 1),
'description': u'Some description',
'globs': [model.IdentityGlob(kind='user', pattern='*@example.com')],
'members': [model.Identity(kind='user', name='*****@*****.**')],
'modified_by': model.Identity(
kind='user', name='*****@*****.**'),
'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1),
'nested': [],
'owners': u'owning-group',
},
],
'secrets': [
{
'__id__': 'global_secret',
'__parent__': ndb.Key(
'AuthGlobalConfig', 'root', 'AuthSecretScope', 'global'),
'modified_by': model.Identity(
kind='user', name='*****@*****.**'),
'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1),
'values': ['1234', '5678'],
},
],
'ip_whitelists': [
{
'__id__': 'bots',
'__parent__': ndb.Key('AuthGlobalConfig', 'root'),
'auth_db_rev': None,
'auth_db_prev_rev': None,
'created_by': model.Identity(kind='user', name='*****@*****.**'),
'created_ts': datetime.datetime(2014, 1, 1, 1, 1, 1),
'description': u'Some description',
'modified_by': model.Identity(
kind='user', name='*****@*****.**'),
'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1),
'subnets': [u'127.0.0.1/32'],
},
],
'ip_whitelist_assignments': {
'__id__': 'default',
'__parent__': ndb.Key('AuthGlobalConfig', 'root'),
'assignments': [
{
'comment': u'some comment',
'created_by': model.Identity(
kind='user', name='*****@*****.**'),
'created_ts': datetime.datetime(2014, 1, 1, 1, 1, 1),
'identity': model.Identity(
kind='user', name='*****@*****.**'),
'ip_whitelist': u'bots',
},
],
'auth_db_rev': None,
'auth_db_prev_rev': None,
'modified_by': model.Identity(kind='user', name='*****@*****.**'),
'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1),
},
}
self.assertEqual(expected_snapshot, snapshot_to_dict(snapshot))
def test_success(self):
self.mock_now(datetime.datetime(2015, 1, 1))
@ndb.tasklet
def urlfetch(url, payload, **_rest):
urlfetch.called = True
self.assertEqual(
url,
'https://tokens.example.com/prpc/tokenserver.minter.TokenMinter/'
'MintDelegationToken')
payload = json.loads(payload)
self.assertEqual(payload, urlfetch.expected_payload)
res = {
'token': 'deadbeef',
'serviceVersion': 'app-id/version-id',
'delegationSubtoken': {
'kind': 'BEARER_DELEGATION_TOKEN',
'validityDuration': payload['validityDuration'],
'subtokenId': '12345',
},
}
raise ndb.Return(
self.Response(200, ")]}'\n" + json.dumps(res, sort_keys=True)))
urlfetch.expected_payload = {
u'audience': [
u'REQUESTOR',
u'group:g',
u'user:[email protected]',
u'user:[email protected]',
],
u'services': [u'https://example.com', u'service:1', u'service:2'],
u'delegatedIdentity':
u'user:[email protected]',
u'tags': [u'a:b', u'c:d'],
u'validityDuration':
3000,
}
urlfetch.called = False
self.mock(delegation, '_urlfetch_async', urlfetch)
model.AuthReplicationState(
key=model.replication_state_key(),
primary_url='https://auth.example.com',
primary_id='example-app-id',
).put()
model.AuthGlobalConfig(
key=model.root_key(),
token_server_url='https://tokens.example.com',
).put()
args = {
'audience': [
'user:[email protected]',
model.Identity('user', '*****@*****.**'),
'group:g',
'REQUESTOR',
],
'services': [
'service:1',
model.Identity('service', '2'),
'https://example.com',
],
'max_validity_duration_sec':
3000,
'impersonate':
model.Identity('user', '*****@*****.**'),
'tags': ['c:d', 'a:b'],
}
result = delegation.delegate(**args)
self.assertTrue(urlfetch.called)
self.assertEqual(result.token, 'deadbeef')
self.assertEqual(result.expiry,
utils.utcnow() + datetime.timedelta(seconds=3000))
# Get from cache.
urlfetch.called = False
delegation.delegate(**args)
self.assertFalse(urlfetch.called)
# Get from cache with larger validity duration.
urlfetch.called = False
args['min_validity_duration_sec'] = 5000
args['max_validity_duration_sec'] = 5000
urlfetch.expected_payload['validityDuration'] = 5000
result = delegation.delegate(**args)
self.assertTrue(urlfetch.called)
self.assertEqual(result.token, 'deadbeef')
self.assertEqual(result.expiry,
utils.utcnow() + datetime.timedelta(seconds=5000))
self.assertTrue(urlfetch.called)
def test_success(self):
model.AuthReplicationState(
key=model.replication_state_key(),
primary_url='https://auth.example.com',
primary_id='example-app-id',
).put()
model.AuthGlobalConfig(
key=model.root_key(),
token_server_url='https://tokens.example.com',
).put()
calls = []
@ndb.tasklet
def mocked_urlfetch_async(*args, **_):
mocked_urlfetch_async.called = True
calls.append(('urlfetch', args))
expiry = utils.utcnow() + datetime.timedelta(seconds=1800)
res = {
'accessToken': 'someaccesstoken',
'serviceAccountEmail': '*****@*****.**',
'expiry': expiry.isoformat('T') + 'Z'
}
raise ndb.Return(
self.Response(200, json.dumps(res, sort_keys=True)))
self.mock(service_account, '_urlfetch_async', mocked_urlfetch_async)
# non-cached
token = service_account.get_project_access_token(
project_id='project1',
scopes=['https://www.googleapis.com/auth/cloud-platform'],
)
self.assertEqual(token[0], 'someaccesstoken')
self.assertEqual(
token[1],
self.totimestamp(utils.utcnow() +
datetime.timedelta(seconds=1800)))
self.assertTrue(mocked_urlfetch_async.called)
mocked_urlfetch_async.called = False
# cached
token = service_account.get_project_access_token(
project_id='project1',
scopes=['https://www.googleapis.com/auth/cloud-platform'],
)
self.assertEqual(token[0], 'someaccesstoken')
self.assertEqual(
token[1],
self.totimestamp(utils.utcnow() +
datetime.timedelta(seconds=1800)))
self.assertFalse(mocked_urlfetch_async.called)
# cache expired
token = service_account.get_project_access_token(
project_id='project1',
scopes=['https://www.googleapis.com/auth/cloud-platform'],
min_lifetime_sec=1800,
)
self.assertEqual(token[0], 'someaccesstoken')
self.assertEqual(
token[1],
self.totimestamp(utils.utcnow() +
datetime.timedelta(seconds=1800)))
self.assertTrue(mocked_urlfetch_async.called)
def test_success(self):
self.mock_now(datetime.datetime(2015, 1, 1))
@ndb.tasklet
def urlfetch(url, payload, **_rest):
urlfetch.called = True
self.assertEqual(
url,
'https://example.com/auth_service/api/v1/delegation/token/create'
)
payload = json.loads(payload)
self.assertEqual(payload, urlfetch.expected_payload)
res = {
'delegation_token': 'deadbeef',
'validity_duration': payload['validity_duration'],
}
raise ndb.Return(
self.Response(200, json.dumps(res, sort_keys=True)))
urlfetch.expected_payload = {
'audience': [
'group:g',
'user:[email protected]',
'user:[email protected]',
],
'services': ['service:1', 'service:2'],
'validity_duration': 3000,
'impersonate': 'user:[email protected]',
}
urlfetch.called = False
self.mock(delegation, '_urlfetch_async', urlfetch)
model.AuthReplicationState(
key=model.replication_state_key(),
primary_url='https://example.com',
primary_id='example-app-id',
).put()
args = {
'audience': [
'user:[email protected]',
model.Identity('user', '*****@*****.**'),
'group:g',
],
'services': ['service:1',
model.Identity('service', '2')],
'max_validity_duration_sec':
3000,
'impersonate':
model.Identity('user', '*****@*****.**'),
}
result = delegation.delegate(**args)
self.assertTrue(urlfetch.called)
self.assertEqual(result.token, 'deadbeef')
self.assertEqual(result.expiry,
utils.utcnow() + datetime.timedelta(seconds=3000))
# Get from cache.
urlfetch.called = False
delegation.delegate(**args) # must not increase urlfetch.call_count
self.assertFalse(urlfetch.called)
# Get from cache with larger validity duration.
urlfetch.called = False
args['min_validity_duration_sec'] = 5000
args['max_validity_duration_sec'] = 5000
urlfetch.expected_payload['validity_duration'] = 5000
result = delegation.delegate(**args)
self.assertTrue(urlfetch.called)
self.assertEqual(result.token, 'deadbeef')
self.assertEqual(result.expiry,
utils.utcnow() + datetime.timedelta(seconds=5000))
self.assertTrue(urlfetch.called)
def test_success(self):
self.mock_now(datetime.datetime(2015, 1, 1))
@ndb.tasklet
def urlfetch(url, payload, **_rest):
urlfetch.called = True
self.assertEqual(
url,
'https://example.com/auth_service/api/v1/delegation/token/create')
payload = json.loads(payload)
self.assertEqual(payload, urlfetch.expected_payload)
res = {
'delegation_token': 'deadbeef',
'validity_duration': payload['validity_duration'],
}
raise ndb.Return(self.Response(200, json.dumps(res, sort_keys=True)))
urlfetch.expected_payload = {
'audience': [
'user:[email protected]',
'user:[email protected]',
'group:g'
],
'services': ['service:1', 'service:2'],
'validity_duration': 3000,
'impersonate': 'user:[email protected]',
}
urlfetch.called = False
self.mock(delegation, '_urlfetch_async', urlfetch)
model.AuthReplicationState(
key=model.replication_state_key(),
primary_url='https://example.com'
).put()
args = {
'audience': [
'user:[email protected]',
model.Identity('user', '*****@*****.**'),
'group:g',
],
'services': [
'service:1',
model.Identity('service', '2')
],
'max_validity_duration_sec': 3000,
'impersonate': model.Identity('user', '*****@*****.**'),
}
result = delegation.delegate(**args)
self.assertTrue(urlfetch.called)
self.assertEqual(result.token, 'deadbeef')
self.assertEqual(
result.expiry, utils.utcnow() + datetime.timedelta(seconds=3000))
# Get from cache.
urlfetch.called = False
delegation.delegate(**args) # must not increase urlfetch.call_count
self.assertFalse(urlfetch.called)
# Get from cache with larger validity duration.
urlfetch.called = False
args['min_validity_duration_sec'] = 5000
args['max_validity_duration_sec'] = 5000
urlfetch.expected_payload['validity_duration'] = 5000
result = delegation.delegate(**args)
self.assertTrue(urlfetch.called)
self.assertEqual(result.token, 'deadbeef')
self.assertEqual(
result.expiry, utils.utcnow() + datetime.timedelta(seconds=5000))
self.assertTrue(urlfetch.called)
def test_non_empty(self):
self.mock_now(datetime.datetime(2014, 1, 1, 1, 1, 1))
state = model.AuthReplicationState(key=model.replication_state_key(),
primary_id='blah',
primary_url='https://blah',
auth_db_rev=123)
state.put()
global_config = model.AuthGlobalConfig(
key=model.root_key(),
modified_ts=utils.utcnow(),
modified_by=model.Identity.from_bytes('user:[email protected]'),
oauth_client_id='oauth_client_id',
oauth_client_secret='oauth_client_secret',
oauth_additional_client_ids=['a', 'b'],
token_server_url='https://token-server',
security_config='security config blob')
global_config.put()
group = model.AuthGroup(
key=model.group_key('Some group'),
members=[model.Identity.from_bytes('user:[email protected]')],
globs=[model.IdentityGlob.from_bytes('user:*@example.com')],
nested=[],
description='Some description',
owners='owning-group',
created_ts=utils.utcnow(),
created_by=model.Identity.from_bytes('user:[email protected]'),
modified_ts=utils.utcnow(),
modified_by=model.Identity.from_bytes('user:[email protected]'))
group.put()
another = model.AuthGroup(key=model.group_key('Another group'),
nested=['Some group'])
another.put()
ip_whitelist = model.AuthIPWhitelist(
key=model.ip_whitelist_key('bots'),
subnets=['127.0.0.1/32'],
description='Some description',
created_ts=utils.utcnow(),
created_by=model.Identity.from_bytes('user:[email protected]'),
modified_ts=utils.utcnow(),
modified_by=model.Identity.from_bytes('user:[email protected]'))
ip_whitelist.put()
ip_whitelist_assignments = model.AuthIPWhitelistAssignments(
key=model.ip_whitelist_assignments_key(),
modified_ts=utils.utcnow(),
modified_by=model.Identity.from_bytes('user:[email protected]'),
assignments=[
model.AuthIPWhitelistAssignments.Assignment(
identity=model.Identity.from_bytes(
'user:[email protected]'),
ip_whitelist='bots',
comment='some comment',
created_ts=utils.utcnow(),
created_by=model.Identity.from_bytes(
'user:[email protected]')),
])
ip_whitelist_assignments.put()
realms_globals = model.AuthRealmsGlobals(
key=model.realms_globals_key(),
permissions=[
realms_pb2.Permission(name='luci.dev.p1'),
realms_pb2.Permission(name='luci.dev.p2'),
])
realms_globals.put()
model.AuthProjectRealms(key=model.project_realms_key('proj_id1'),
realms=realms_pb2.Realms(api_version=1234),
config_rev='rev1',
perms_rev='rev1').put()
model.AuthProjectRealms(key=model.project_realms_key('proj_id2'),
realms=realms_pb2.Realms(api_version=1234),
config_rev='rev2',
perms_rev='rev2').put()
captured_state, snapshot = replication.new_auth_db_snapshot()
expected_state = {
'auth_db_rev': 123,
'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1),
'primary_id': u'blah',
'primary_url': u'https://blah',
'shard_ids': [],
}
self.assertEqual(expected_state, captured_state.to_dict())
expected_snapshot = {
'global_config': {
'__id__':
'root',
'__parent__':
None,
'auth_db_rev':
None,
'auth_db_prev_rev':
None,
'modified_by':
model.Identity(kind='user', name='*****@*****.**'),
'modified_ts':
datetime.datetime(2014, 1, 1, 1, 1, 1),
'oauth_additional_client_ids': [u'a', u'b'],
'oauth_client_id':
u'oauth_client_id',
'oauth_client_secret':
u'oauth_client_secret',
'security_config':
'security config blob',
'token_server_url':
u'https://token-server',
},
'groups': [
{
'__id__': 'Another group',
'__parent__': ndb.Key('AuthGlobalConfig', 'root'),
'auth_db_rev': None,
'auth_db_prev_rev': None,
'created_by': None,
'created_ts': None,
'description': u'',
'globs': [],
'members': [],
'modified_by': None,
'modified_ts': None,
'nested': [u'Some group'],
'owners': u'administrators',
},
{
'__id__':
'Some group',
'__parent__':
ndb.Key('AuthGlobalConfig', 'root'),
'auth_db_rev':
None,
'auth_db_prev_rev':
None,
'created_by':
model.Identity(kind='user', name='*****@*****.**'),
'created_ts':
datetime.datetime(2014, 1, 1, 1, 1, 1),
'description':
u'Some description',
'globs':
[model.IdentityGlob(kind='user', pattern='*@example.com')],
'members':
[model.Identity(kind='user', name='*****@*****.**')],
'modified_by':
model.Identity(kind='user', name='*****@*****.**'),
'modified_ts':
datetime.datetime(2014, 1, 1, 1, 1, 1),
'nested': [],
'owners':
u'owning-group',
},
],
'ip_whitelists': [
{
'__id__':
'bots',
'__parent__':
ndb.Key('AuthGlobalConfig', 'root'),
'auth_db_rev':
None,
'auth_db_prev_rev':
None,
'created_by':
model.Identity(kind='user', name='*****@*****.**'),
'created_ts':
datetime.datetime(2014, 1, 1, 1, 1, 1),
'description':
u'Some description',
'modified_by':
model.Identity(kind='user', name='*****@*****.**'),
'modified_ts':
datetime.datetime(2014, 1, 1, 1, 1, 1),
'subnets': [u'127.0.0.1/32'],
},
],
'ip_whitelist_assignments': {
'__id__':
'default',
'__parent__':
ndb.Key('AuthGlobalConfig', 'root'),
'assignments': [
{
'comment':
u'some comment',
'created_by':
model.Identity(kind='user',
name='*****@*****.**'),
'created_ts':
datetime.datetime(2014, 1, 1, 1, 1, 1),
'identity':
model.Identity(kind='user',
name='*****@*****.**'),
'ip_whitelist':
u'bots',
},
],
'auth_db_rev':
None,
'auth_db_prev_rev':
None,
'modified_by':
model.Identity(kind='user', name='*****@*****.**'),
'modified_ts':
datetime.datetime(2014, 1, 1, 1, 1, 1),
},
'realms_globals': {
'__id__':
'globals',
'__parent__':
ndb.Key('AuthGlobalConfig', 'root'),
'auth_db_prev_rev':
None,
'auth_db_rev':
None,
'modified_by':
None,
'modified_ts':
None,
'permissions': [
realms_pb2.Permission(name='luci.dev.p1'),
realms_pb2.Permission(name='luci.dev.p2'),
],
},
'project_realms': [{
'__id__':
'proj_id1',
'__parent__':
ndb.Key('AuthGlobalConfig', 'root'),
'auth_db_prev_rev':
None,
'auth_db_rev':
None,
'config_rev':
u'rev1',
'perms_rev':
u'rev1',
'modified_by':
None,
'modified_ts':
None,
'realms':
realms_pb2.Realms(api_version=1234),
}, {
'__id__':
'proj_id2',
'__parent__':
ndb.Key('AuthGlobalConfig', 'root'),
'auth_db_prev_rev':
None,
'auth_db_rev':
None,
'config_rev':
u'rev2',
'perms_rev':
u'rev2',
'modified_by':
None,
'modified_ts':
None,
'realms':
realms_pb2.Realms(api_version=1234),
}],
}
self.assertEqual(expected_snapshot, snapshot_to_dict(snapshot))
def mock_replication_state(auth_db_rev):
return model.AuthReplicationState(key=model.replication_state_key(),
primary_id='primary-id',
auth_db_rev=auth_db_rev)
