def create_providers(data, db_session):
s = db_session
providers = data["providers"]
for provider in providers:
prov = CloudProvider()
prov.name = provider["name"]
prov.backend = provider["backend"]
prov.service = provider["service"]
s.add(prov)
s.flush
for name, user in list(data["users"].items()):
new_user = User()
new_user.username = name
new_user.email = user["email"]
new_user.is_admin = user["is_admin"]
s.add(new_user)
user["id"] = new_user.id
for project in data["projects"]:
new_project = Project()
new_project.name = project["name"]
s.add(new_project)
for storage in project["storage_access"]:
provider = s.query(CloudProvider).filter_by(name=storage).first()
if provider:
new_storage_access = StorageAccess(provider_id=provider.id,
project_id=new_project.id)
s.add(new_storage_access)
for bucket in project["buckets"]:
new_bucket = Bucket()
new_bucket.name = bucket["name"]
provider = s.query(CloudProvider).filter_by(
name=bucket["provider"]).first()
new_bucket.provider_id = provider.id
s.add(new_bucket)
s.flush()
project_to_bucket = ProjectToBucket()
project_to_bucket.bucket_id = new_bucket.id
project_to_bucket.project_id = new_project.id
s.add(project_to_bucket)
s.flush()
for user in project["users"]:
access = AccessPrivilege()
access.user_id = data["users"][user["name"]]["id"]
access.project_id = new_project.id
s.add(access)
def test_invalid_service_account_has_external_access(
client,
app,
encoded_jwt_service_accounts_access,
valid_service_account_patcher,
valid_google_project_patcher,
db_session,
cloud_manager,
):
"""
Test that an invalid service account gives us the expected error structure
"""
sa_patcher = valid_service_account_patcher
proj_patcher = valid_google_project_patcher
sa_patcher["service_account_has_external_access"].return_value = True
proj_patcher[
"get_service_account_ids_from_google_members"].return_value = [
"*****@*****.**"
]
encoded_creds_jwt = encoded_jwt_service_accounts_access["jwt"]
(cloud_manager.return_value.__enter__.return_value.get_service_account.
return_value) = {
"uniqueId": "0",
"email": "*****@*****.**"
}
db_session.add(Project(auth_id="project_a"))
db_session.add(Project(auth_id="project_b"))
db_session.commit()
project_access = ["project_a", "project_b"]
invalid_service_account = {
"service_account_email": "*****@*****.**",
"google_project_id": "some-google-project-872340ajsdkj",
"project_access": project_access,
}
response = client.post(
"/google/service_accounts",
headers={"Authorization": "Bearer " + encoded_creds_jwt},
data=json.dumps(invalid_service_account),
content_type="application/json",
)
assert response.status_code == 400
_assert_expected_error_response_structure(response, project_access)
assert response.json["errors"]["service_account_email"]["status"] == 403
def create_awg_user(users, db_session):
s = db_session
for username in list(users.keys()):
user = query_for_user(session=s, username=username)
if not user:
user = User(username=username)
s.add(user)
projects = {}
for project_data in users[username]["projects"]:
auth_id = project_data["auth_id"]
p_name = project_data.get("name", auth_id)
project = s.query(Project).filter(Project.auth_id == auth_id).first()
if not project:
project = Project(name=p_name, auth_id=auth_id)
s.add(project)
projects[p_name] = project
groups = users[username].get("groups", [])
for group in groups:
group_name = group["name"]
group_desc = group["description"]
grp = s.query(Group).filter(Group.name == group_name).first()
if not grp:
grp = Group()
grp.name = group_name
grp.description = group_desc
s.add(grp)
s.flush()
UserToGroup(group=grp, user=user)
for projectname in group["projects"]:
gap = (
s.query(AccessPrivilege)
.join(AccessPrivilege.project)
.join(AccessPrivilege.group)
.filter(Project.name == projectname, Group.name == group_name)
.first()
)
if not gap:
project = projects[projectname]
gap = AccessPrivilege(project_id=project.id, group_id=grp.id)
s.add(gap)
s.flush()
ap = (
s.query(AccessPrivilege)
.join(AccessPrivilege.project)
.join(AccessPrivilege.user)
.filter(Project.name == projectname, User.username == user.username)
.first()
)
privilege = {"read"}
if not ap:
project = projects[projectname]
ap = AccessPrivilege(
project=project, user=user, privilege=privilege
)
s.add(ap)
s.flush()
return user.id, user.username
def test_project(db_session):
project = Project(id=1, name="test_project", auth_id="test_project")
db_session.add(project)
db_session.commit()
yield project
def create_awg_groups(data, db_session):
s = db_session
projects = {}
for project_data in data["projects"]:
auth_id = project_data["auth_id"]
p_name = project_data.get("name", auth_id)
project = s.query(Project).filter(Project.auth_id == auth_id).first()
if not project:
project = Project(name=p_name, auth_id=auth_id)
s.add(project)
projects[p_name] = project
for group in data["groups"]:
group_name = group["name"]
group_desc = group["description"]
grp = s.query(Group).filter(Group.name == group_name).first()
if not grp:
grp = Group()
grp.name = group_name
grp.description = group_desc
s.add(grp)
for projectname in group["projects"]:
gap = (s.query(AccessPrivilege).join(
AccessPrivilege.project).join(AccessPrivilege.group).filter(
Project.name == projectname,
Group.name == group_name).first())
if not gap:
project = projects[projectname]
gap = AccessPrivilege(project_id=project.id, group_id=grp.id)
s.add(gap)
s.flush()
def create_user(users, db_session, is_admin=False):
s = db_session
for username in list(users.keys()):
user = query_for_user(session=s, username=username)
if not user:
user = User(username=username, is_admin=is_admin)
s.add(user)
for project_data in users[username]["projects"]:
privilege = project_data["privilege"]
auth_id = project_data["auth_id"]
p_name = project_data.get("name", auth_id)
project = s.query(Project).filter(
Project.auth_id == auth_id).first()
if not project:
project = Project(name=p_name, auth_id=auth_id)
s.add(project)
ap = (s.query(AccessPrivilege).join(
AccessPrivilege.project).join(AccessPrivilege.user).filter(
Project.name == p_name,
User.username == user.username).first())
if not ap:
ap = AccessPrivilege(project=project,
user=user,
privilege=privilege)
s.add(ap)
else:
ap.privilege = privilege
return user.id, user.username
def test_valid_google_project_access(valid_google_project_patcher,
valid_service_account_patcher,
db_session):
"""
Test that when everything is valid and there are access to data through
projects (access is all valid), the GoogleProjectValidity is valid
and has the expected information.
"""
patcher = valid_google_project_patcher
project1 = Project(auth_id="some-project-auth-id")
project2 = Project(auth_id="some-other-project-auth-id")
db_session.add(project1)
db_session.add(project2)
db_session.commit()
patcher["get_project_access_from_service_accounts"].return_value = [
project1,
project2,
]
google_project_validity = GoogleProjectValidity("some-project-id")
# should evaluate to true by default before checking validity
assert google_project_validity
google_project_validity.check_validity(early_return=False)
# should evaluate to true since it's valid
assert google_project_validity
# test that it contains the correct error information
assert "valid_parent_org" in google_project_validity
assert google_project_validity["valid_parent_org"]
assert "valid_member_types" in google_project_validity
assert google_project_validity["valid_member_types"]
assert "members_exist_in_fence" in google_project_validity
assert google_project_validity["members_exist_in_fence"]
assert "new_service_account" in google_project_validity
assert "service_accounts" in google_project_validity
assert "access" in google_project_validity
assert hasattr(google_project_validity["access"], "__iter__")
assert "some-project-auth-id" in (google_project_validity["access"])
assert "some-other-project-auth-id" in (google_project_validity["access"])
def test_valid_get_google_project_parent_org(
cloud_manager,
client,
app,
encoded_jwt_service_accounts_access,
valid_service_account_patcher,
valid_google_project_patcher,
db_session,
monkeypatch,
):
"""
Test that a valid service account gives us the expected response when it has
parent org BUT that org is whitelisted.
"""
monkeypatch.setitem(config, "WHITE_LISTED_GOOGLE_PARENT_ORGS",
["whitelisted-parent-org"])
(valid_google_project_patcher["get_google_project_parent_org"].return_value
) = "whitelisted-parent-org"
encoded_creds_jwt = encoded_jwt_service_accounts_access["jwt"]
db_session.add(Project(auth_id="project_a"))
db_session.add(Project(auth_id="project_b"))
db_session.commit()
project_access = ["project_a", "project_b"]
(cloud_manager.return_value.__enter__.return_value.get_service_account.
return_value) = {
"uniqueId": "0",
"email": "*****@*****.**"
}
valid_service_account = {
"service_account_email": "*****@*****.**",
"google_project_id": "some-google-project-872340ajsdkj",
"project_access": project_access,
}
response = client.post(
"/google/service_accounts",
headers={"Authorization": "Bearer " + encoded_creds_jwt},
data=json.dumps(valid_service_account),
content_type="application/json",
)
assert response.status_code == 200
def test_create_projects(db_session):
# setup
project_1_id = "123"
project_1_name = "my-project-1"
project_2_id = "456"
project_2_name = "my-project-2"
provider_id = "789"
bucket_name = "my-bucket-2"
cp = CloudProvider(
id=provider_id,
name=provider_id,
endpoint="https://test.com",
backend="test_backend",
description="description",
service="service",
)
db_session.add(cp)
# only pre-create project 1
p = Project(id=project_1_id, name=project_1_name)
db_session.add(p)
# only pre-create a StorageAccess for project 1
sa = StorageAccess(project_id=project_1_id, provider_id=provider_id)
db_session.add(sa)
# only pre-create a Bucket for project 2
b = Bucket(name=bucket_name, provider_id=provider_id)
db_session.add(b)
# test "fence-create create" projects creation
data = {
"projects": [
{
"id": project_1_id,
"auth_id": "phs-project-1",
"name": project_1_name,
"storage_accesses": [{"name": provider_id, "buckets": ["my-bucket-1"]}],
},
{
"id": project_2_id,
"auth_id": "phs-project-2",
"name": project_2_name,
"storage_accesses": [{"name": provider_id, "buckets": [bucket_name]}],
},
]
}
create_projects(db_session, data)
projects_in_db = db_session.query(Project).all()
assert projects_in_db, "no projects were created"
assert len(projects_in_db) == len(data["projects"])
project_names = {p.name for p in projects_in_db}
assert project_1_name in project_names
assert project_2_name in project_names
def test_patch_service_account_valid_limit(
client,
app,
db_session,
encoded_jwt_service_accounts_access,
register_user_service_account,
user_can_manage_service_account_mock,
valid_user_service_account_mock,
revoke_user_service_account_from_google_mock,
add_user_service_account_to_google_mock,
):
"""
Test that patching with new project_access returns 204
when SERVICE_ACCOUNT_LIMIT number of projects is registered.
"""
encoded_creds_jwt = encoded_jwt_service_accounts_access["jwt"]
service_account = register_user_service_account["service_account"]
project_access = []
n_projects = config["SERVICE_ACCOUNT_LIMIT"]
for i in range(n_projects):
project = Project(id=i, auth_id="auth_id_{}".format(i))
bucket = Bucket(id=i)
db_session.add(project)
db_session.add(bucket)
db_session.commit()
project_to_bucket = ProjectToBucket(project_id=i, bucket_id=i)
db_session.add(project_to_bucket)
db_session.commit()
gbag = GoogleBucketAccessGroup(id=i,
bucket_id=i,
email="*****@*****.**")
db_session.add(gbag)
db_session.commit()
project_access.append("auth_id_{}".format(i))
response = client.patch(
"/google/service_accounts/{}".format(quote(service_account.email)),
headers={"Authorization": "Bearer " + encoded_creds_jwt},
content_type="application/json",
data=json.dumps({"project_access": project_access}),
)
assert response.status_code == 204
service_account_accesses = (
db_session.query(ServiceAccountToGoogleBucketAccessGroup).filter_by(
service_account_id=service_account.id)).all()
assert len(service_account_accesses) == config["SERVICE_ACCOUNT_LIMIT"]
def test_delete_user_with_access_privilege(app, db_session):
user = User(username="******")
project = Project(id=1, name="test-project")
access_privilege = AccessPrivilege(user=user, privilege=["read"], project=project)
db_session.add(user)
db_session.add(project)
db_session.add(access_privilege)
db_session.commit()
delete_users(config["DB"], [user.username])
remaining_usernames = db_session.query(User.username).all()
assert db_session.query(User).count() == 0, remaining_usernames
def test_invalid_service_account_dry_run_errors(
cloud_manager,
client,
app,
encoded_jwt_service_accounts_access,
valid_service_account_patcher,
db_session,
):
"""
Test that an invalid service account gives us the expected error structure
"""
valid_service_account_patcher[
"service_account_has_external_access"
].return_value = True
encoded_creds_jwt = encoded_jwt_service_accounts_access["jwt"]
db_session.add(Project(auth_id="project_a"))
db_session.add(Project(auth_id="project_b"))
db_session.commit()
project_access = ["project_a", "project_b"]
invalid_service_account = {
"service_account_email": "*****@*****.**",
"google_project_id": "some-google-project-872340ajsdkj",
"project_access": project_access,
}
response = client.post(
"/google/service_accounts/_dry_run",
headers={"Authorization": "Bearer " + encoded_creds_jwt},
data=json.dumps(invalid_service_account),
content_type="application/json",
)
assert response.status_code != 200
_assert_expected_error_response_structure(response, project_access)
def test_invalid_google_project_access(valid_google_project_patcher,
db_session):
"""
Test that when the Google Project is invalid, the resulting
GoogleProjectValidity is False-y and contains the expected information.
Here we're testing when the Google Project's members have invalid access.
"""
patcher = valid_google_project_patcher
project = Project(auth_id="some-project-auth-id")
db_session.add(project)
db_session.commit()
patcher["get_project_access_from_service_accounts"].return_value = [
project
]
patcher["get_users_from_google_members"].return_value = ["test-user"]
patcher["do_all_users_have_access_to_project"].return_value = False
google_project_validity = GoogleProjectValidity("some-project-id")
# should evaluate to true by default before checking validity
assert google_project_validity
google_project_validity.check_validity(early_return=False)
# should evaluate to false since invalid
assert not google_project_validity
# test that it contains the correct error information
assert "valid_parent_org" in google_project_validity
assert google_project_validity["valid_parent_org"]
assert "valid_member_types" in google_project_validity
assert google_project_validity["valid_member_types"]
assert "members_exist_in_fence" in google_project_validity
assert google_project_validity["members_exist_in_fence"]
assert "new_service_account" in google_project_validity
assert "service_accounts" in google_project_validity
assert "access" in google_project_validity
assert hasattr(google_project_validity["access"], "__iter__")
assert "some-project-auth-id" in (google_project_validity["access"])
assert not google_project_validity["access"]["some-project-auth-id"]
def create_project(current_session, name, auth_id, storage_accesses):
"""
Creates a project with an associated auth_id and storage access
"""
new_project = Project(name=name, auth_id=auth_id)
current_session.add(new_project)
current_session.flush()
for storage in storage_accesses:
provider = current_session.query(CloudProvider).filter(
CloudProvider.name == storage).first()
if provider:
new_storage_access = StorageAccess(provider_id=provider.id,
project_id=new_project.id)
current_session.add(new_storage_access)
else:
raise NotFound()
return new_project
def setup_data(db_session):
cp = CloudProvider(name="test", endpoint="http://test.endpt")
user = UserServiceAccount(
google_unique_id="test_id", email="*****@*****.**", google_project_id="test"
)
user_1 = UserServiceAccount(
google_unique_id="test_id", email="*****@*****.**", google_project_id="test"
)
user_2 = UserServiceAccount(
google_unique_id="test_id", email="*****@*****.**", google_project_id="test"
)
user_3 = UserServiceAccount(
google_unique_id="test_id", email="*****@*****.**", google_project_id="test"
)
db_session.add(user)
db_session.add(user_1)
db_session.add(user_2)
db_session.add(user_3)
db_session.add(cp)
db_session.commit()
bucket = Bucket(name="bucket1", provider_id=cp.id)
bucket2 = Bucket(name="bucket2", provider_id=cp.id)
bucket3 = Bucket(name="bucket3", provider_id=cp.id)
db_session.add(bucket)
db_session.add(bucket2)
db_session.add(bucket3)
db_session.commit()
project1 = Project(name="test_1", auth_id="test_auth_1")
project2 = Project(name="test_2", auth_id="test_auth_2")
project3 = Project(name="test_3", auth_id="test_auth_3")
db_session.add(project1)
db_session.add(project2)
db_session.add(project3)
db_session.commit()
db_session.add(ProjectToBucket(project_id=project1.id, bucket_id=bucket.id))
db_session.add(ProjectToBucket(project_id=project2.id, bucket_id=bucket2.id))
db_session.add(ProjectToBucket(project_id=project3.id, bucket_id=bucket3.id))
db_session.add(
ServiceAccountAccessPrivilege(
project_id=project1.id, service_account_id=user.id
)
)
db_session.add(
ServiceAccountAccessPrivilege(
project_id=project2.id, service_account_id=user.id
)
)
db_session.add(
ServiceAccountAccessPrivilege(
project_id=project1.id, service_account_id=user_1.id
)
)
db_session.add(
ServiceAccountAccessPrivilege(
project_id=project1.id, service_account_id=user_2.id
)
)
db_session.add(
ServiceAccountAccessPrivilege(
project_id=project1.id, service_account_id=user_3.id
)
)
access_grp = GoogleBucketAccessGroup(
bucket_id=bucket.id, email="*****@*****.**"
)
access_grp2 = GoogleBucketAccessGroup(
bucket_id=bucket2.id, email="*****@*****.**"
)
access_grp3 = GoogleBucketAccessGroup(
bucket_id=bucket3.id, email="*****@*****.**"
)
db_session.add(access_grp)
db_session.add(access_grp2)
db_session.add(access_grp3)
db_session.commit()
service_account_grp1 = ServiceAccountToGoogleBucketAccessGroup(
service_account_id=user.id, access_group_id=access_grp.id
)
service_account_grp2 = ServiceAccountToGoogleBucketAccessGroup(
service_account_id=user.id, access_group_id=access_grp2.id
)
db_session.add(service_account_grp1)
db_session.add(service_account_grp2)
db_session.commit()
def test_invalid_project_limit_service_account_registration(
app,
db_session,
client,
encoded_jwt_service_accounts_access,
cloud_manager,
valid_google_project_patcher,
):
"""
Test that we get a 400 when there are SERVICE_ACCOUNT_LIMIT + 1 number of projects and the databse isn't updated.
"""
proj_patcher = valid_google_project_patcher
project_access = []
n_projects = config["SERVICE_ACCOUNT_LIMIT"] + 1
for i in range(n_projects):
project = Project(id=i, auth_id="auth_id_{}".format(i))
bucket = Bucket(id=i)
db_session.add(project)
db_session.add(bucket)
db_session.commit()
project_to_bucket = ProjectToBucket(project_id=i, bucket_id=i)
db_session.add(project_to_bucket)
db_session.commit()
gbag = GoogleBucketAccessGroup(id=i,
bucket_id=i,
email="*****@*****.**")
db_session.add(gbag)
db_session.commit()
project_access.append("auth_id_{}".format(i))
google_project_id = "project-id"
encoded_creds_jwt = encoded_jwt_service_accounts_access["jwt"]
proj_patcher["get_service_account_ids_from_google_members"].return_value = [
"test-{}@test.com".format(google_project_id),
"{}@compute-system.iam.gserviceaccount.com".format(google_project_id),
]
valid_service_account = {
"service_account_email": "*****@*****.**",
"google_project_id": google_project_id,
"project_access": project_access,
}
(cloud_manager.return_value.__enter__.return_value.get_service_account.
return_value) = {
"uniqueId": "sa_unique_id",
"email": "*****@*****.**"
}
(cloud_manager.return_value.__enter__.return_value.add_member_to_group.
return_value) = {
"email": "*****@*****.**"
}
assert len(db_session.query(UserServiceAccount).all()) == 0
assert len(db_session.query(ServiceAccountAccessPrivilege).all()) == 0
assert len(
db_session.query(ServiceAccountToGoogleBucketAccessGroup).all()) == 0
response = client.post(
"/google/service_accounts",
headers={"Authorization": "Bearer " + encoded_creds_jwt},
data=json.dumps(valid_service_account),
content_type="application/json",
)
assert response.status_code == 400
assert len(db_session.query(UserServiceAccount).all()) == 0
assert len(db_session.query(ServiceAccountAccessPrivilege).all()) == 0
assert len(
db_session.query(ServiceAccountToGoogleBucketAccessGroup).all()) == 0
def register_user_service_account(db_session):
cp = db_session.query(CloudProvider).filter_by(name="test").first()
if not cp:
cp = CloudProvider(name="test", endpoint="http://test.endpt")
db_session.add(cp)
db_session.commit()
bucket1 = db_session.query(Bucket).filter_by(name="bucket1").first()
if not bucket1:
bucket1 = Bucket(name="bucket1", provider_id=cp.id)
db_session.add(bucket1)
db_session.commit()
bucket2 = db_session.query(Bucket).filter_by(name="bucket2").first()
if not bucket2:
bucket2 = Bucket(name="bucket2", provider_id=cp.id)
db_session.add(bucket2)
db_session.commit()
project1 = db_session.query(Project).filter_by(name="test_1").first()
if not project1:
project1 = Project(name="test_1", auth_id="test_auth_1")
db_session.add(project1)
db_session.commit()
project2 = db_session.query(Project).filter_by(name="test_2").first()
if not project2:
project2 = Project(name="test_2", auth_id="test_auth_2")
db_session.add(project2)
db_session.commit()
access_grp1 = (
db_session.query(GoogleBucketAccessGroup)
.filter_by(email="*****@*****.**")
.first()
)
if not access_grp1:
access_grp1 = GoogleBucketAccessGroup(
bucket_id=bucket1.id, email="*****@*****.**"
)
db_session.add(access_grp1)
db_session.commit()
access_grp2 = (
db_session.query(GoogleBucketAccessGroup)
.filter_by(email="*****@*****.**")
.first()
)
if not access_grp2:
access_grp2 = GoogleBucketAccessGroup(
bucket_id=bucket2.id, email="*****@*****.**"
)
db_session.add(access_grp2)
db_session.commit()
project_to_bucket1 = (
db_session.query(ProjectToBucket).filter_by(project_id=project1.id).first()
)
if not project_to_bucket1:
project_to_bucket1 = ProjectToBucket(
project_id=project1.id, bucket_id=bucket1.id
)
db_session.add(project_to_bucket1)
db_session.commit()
project_to_bucket2 = (
db_session.query(ProjectToBucket).filter_by(project_id=project2.id).first()
)
if not project_to_bucket2:
project_to_bucket2 = ProjectToBucket(
project_id=project2.id, bucket_id=bucket2.id
)
db_session.add(project_to_bucket2)
db_session.commit()
# new service account each time this is called
random_string = "".join(
random.choice(string.ascii_uppercase + string.digits) for _ in range(6)
)
user = UserServiceAccount(
google_unique_id="{}".format(random_string),
email="{}@test.iam.gserviceaccount.com".format(random_string),
google_project_id="test",
)
db_session.add(user)
db_session.commit()
db_session.add(
ServiceAccountAccessPrivilege(
project_id=project1.id, service_account_id=user.id
)
)
db_session.add(
ServiceAccountAccessPrivilege(
project_id=project2.id, service_account_id=user.id
)
)
# expiration set to 0 for testing that it gets set
current_time = 0
service_account_grp1 = ServiceAccountToGoogleBucketAccessGroup(
service_account_id=user.id, access_group_id=access_grp1.id, expires=current_time
)
service_account_grp2 = ServiceAccountToGoogleBucketAccessGroup(
service_account_id=user.id, access_group_id=access_grp2.id, expires=current_time
)
db_session.add(service_account_grp1)
db_session.add(service_account_grp2)
db_session.commit()
return {
"service_account": user,
"projects": [project1, project2],
"buckets": [bucket1, bucket2],
"bucket_access_groups": [access_grp1, access_grp2],
}
def invalid_service_account_not_exist(db_session):
invalid_service_account = "*****@*****.**"
user = UserServiceAccount(
google_unique_id="invalid_test_id",
email=invalid_service_account,
google_project_id="test",
)
db_session.add(user)
db_session.commit()
cp = db_session.query(CloudProvider).filter_by(name="test").first()
if not cp:
cp = CloudProvider(name="test", endpoint="http://test.endpt")
db_session.add(cp)
db_session.commit()
bucket1 = db_session.query(Bucket).filter_by(name="bucket1").first()
if not bucket1:
bucket1 = Bucket(name="bucket1", provider_id=cp.id)
db_session.add(bucket1)
db_session.commit()
project1 = db_session.query(Project).filter_by(name="test_1").first()
if not project1:
project1 = Project(name="test_1", auth_id="test_auth_1")
db_session.add(project1)
db_session.commit()
access_grp1 = (
db_session.query(GoogleBucketAccessGroup)
.filter_by(email="*****@*****.**")
.first()
)
if not access_grp1:
access_grp1 = GoogleBucketAccessGroup(
bucket_id=bucket1.id, email="*****@*****.**"
)
db_session.add(access_grp1)
db_session.commit()
db_session.add(
ServiceAccountAccessPrivilege(
project_id=project1.id, service_account_id=user.id
)
)
db_session.commit()
# expiration set to 0 for testing that it gets set
current_time = 0
service_account_grp1 = ServiceAccountToGoogleBucketAccessGroup(
service_account_id=user.id, access_group_id=access_grp1.id, expires=current_time
)
db_session.add(service_account_grp1)
db_session.commit()
def mock_is_valid(sa_email, *args, **kwargs):
if sa_email == invalid_service_account:
validity = GoogleServiceAccountValidity("account_id", "project_id")
# set overall validity to False
# set policy_accessible to False so the SA is removed from the DB
validity["policy_accessible"] = False
validity._valid = False
return validity
return True
patcher = patch(
"fence.scripting.google_monitor._is_valid_service_account", mock_is_valid
)
patcher.start()
yield {
"service_account": user,
"projects": [project1],
"bucket_access_groups": [access_grp1],
}
patcher.stop()
def test_register_service_account_already_exists(
app,
db_session,
client,
encoded_jwt_service_accounts_access,
cloud_manager,
valid_google_project_patcher,
valid_service_account_patcher,
):
project = Project(id=1, auth_id="some_auth_id")
bucket = Bucket(id=1)
db_session.add(project)
db_session.add(bucket)
db_session.commit()
project_to_bucket = ProjectToBucket(project_id=1, bucket_id=1)
db_session.add(project_to_bucket)
db_session.commit()
gbag = GoogleBucketAccessGroup(id=1, bucket_id=1, email="*****@*****.**")
db_session.add(gbag)
db_session.commit()
encoded_creds_jwt = encoded_jwt_service_accounts_access["jwt"]
project_access = ["some_auth_id"]
valid_service_account = {
"service_account_email": "*****@*****.**",
"google_project_id": "project-id",
"project_access": project_access,
}
(cloud_manager.return_value.__enter__.return_value.get_service_account.
return_value) = {
"uniqueId": "sa_unique_id",
"email": "*****@*****.**"
}
(cloud_manager.return_value.__enter__.return_value.add_member_to_group.
return_value) = {
"email": "*****@*****.**"
}
response = client.post(
"/google/service_accounts",
headers={"Authorization": "Bearer " + encoded_creds_jwt},
data=json.dumps(valid_service_account),
content_type="application/json",
)
assert response.status_code == 200
response = client.post(
"/google/service_accounts",
headers={"Authorization": "Bearer " + encoded_creds_jwt},
data=json.dumps(valid_service_account),
content_type="application/json",
)
assert response.status_code == 400
assert response.json["errors"]["service_account_email"]["status"] == 409
assert len(db_session.query(UserServiceAccount).all()) == 1
assert len(db_session.query(ServiceAccountAccessPrivilege).all()) == 1
assert len(
db_session.query(ServiceAccountToGoogleBucketAccessGroup).all()) == 1
def test_valid_service_account_registration_multiple_service_accounts(
app,
db_session,
client,
encoded_jwt_service_accounts_access,
cloud_manager,
valid_google_project_patcher,
valid_service_account_patcher,
):
"""
Test that a valid service account registration request returns
200 and succesfully creates entries in database when the Google project
has both another valid service account in the project and a Google-managed
system service account.
"""
proj_patcher = valid_google_project_patcher
project = Project(id=1, auth_id="some_auth_id")
bucket = Bucket(id=1)
db_session.add(project)
db_session.add(bucket)
db_session.commit()
project_to_bucket = ProjectToBucket(project_id=1, bucket_id=1)
db_session.add(project_to_bucket)
db_session.commit()
gbag = GoogleBucketAccessGroup(id=1, bucket_id=1, email="*****@*****.**")
db_session.add(gbag)
db_session.commit()
google_project_id = "project-id"
encoded_creds_jwt = encoded_jwt_service_accounts_access["jwt"]
project_access = ["some_auth_id"]
proj_patcher["get_service_account_ids_from_google_members"].return_value = [
"test-{}@test.com".format(google_project_id),
"{}@compute-system.iam.gserviceaccount.com".format(google_project_id),
]
valid_service_account = {
"service_account_email": "*****@*****.**",
"google_project_id": google_project_id,
"project_access": project_access,
}
(cloud_manager.return_value.__enter__.return_value.get_service_account.
return_value) = {
"uniqueId": "sa_unique_id",
"email": "*****@*****.**"
}
(cloud_manager.return_value.__enter__.return_value.add_member_to_group.
return_value) = {
"email": "*****@*****.**"
}
assert len(db_session.query(UserServiceAccount).all()) == 0
assert len(db_session.query(ServiceAccountAccessPrivilege).all()) == 0
assert len(
db_session.query(ServiceAccountToGoogleBucketAccessGroup).all()) == 0
response = client.post(
"/google/service_accounts",
headers={"Authorization": "Bearer " + encoded_creds_jwt},
data=json.dumps(valid_service_account),
content_type="application/json",
)
assert response.status_code == 200
assert len(db_session.query(UserServiceAccount).all()) == 1
assert len(db_session.query(ServiceAccountAccessPrivilege).all()) == 1
assert len(
db_session.query(ServiceAccountToGoogleBucketAccessGroup).all()) == 1
def test_service_account_registration_expires_in(
app,
db_session,
client,
encoded_jwt_service_accounts_access,
cloud_manager,
valid_google_project_patcher,
valid_service_account_patcher,
):
"""
Test that a service account registration with a valid expires_in is
successful, and that a registration with an invalid expires_in is not.
"""
project = Project(id=1, auth_id="some_auth_id")
bucket = Bucket(id=1)
db_session.add(project)
db_session.add(bucket)
db_session.commit()
project_to_bucket = ProjectToBucket(project_id=1, bucket_id=1)
db_session.add(project_to_bucket)
db_session.commit()
gbag = GoogleBucketAccessGroup(id=1, bucket_id=1, email="*****@*****.**")
db_session.add(gbag)
db_session.commit()
encoded_creds_jwt = encoded_jwt_service_accounts_access["jwt"]
project_access = ["some_auth_id"]
valid_service_account = {
"service_account_email": "*****@*****.**",
"google_project_id": "project-id",
"project_access": project_access,
}
(cloud_manager.return_value.__enter__.return_value.get_service_account.
return_value) = {
"uniqueId": "sa_unique_id",
"email": "*****@*****.**"
}
(cloud_manager.return_value.__enter__.return_value.add_member_to_group.
return_value) = {
"email": "*****@*****.**"
}
assert len(db_session.query(UserServiceAccount).all()) == 0
assert len(db_session.query(ServiceAccountAccessPrivilege).all()) == 0
assert len(
db_session.query(ServiceAccountToGoogleBucketAccessGroup).all()) == 0
# valid expires_in: should succeed
requested_exp = 60
response = client.post(
"/google/service_accounts?expires_in={}".format(requested_exp),
headers={"Authorization": "Bearer " + encoded_creds_jwt},
data=json.dumps(valid_service_account),
content_type="application/json",
)
assert response.status_code == 200 # check if success
assert len(db_session.query(UserServiceAccount).all()) == 1
assert len(db_session.query(ServiceAccountAccessPrivilege).all()) == 1
sa_to_bucket_entries = db_session.query(
ServiceAccountToGoogleBucketAccessGroup).all()
assert len(sa_to_bucket_entries) == 1
# make sure the access was granted for the requested time
# (allow up to 2 sec for runtime)
diff = sa_to_bucket_entries[0].expires - int(time.time())
assert requested_exp - 2 <= diff <= requested_exp
# invalid expires_in: should fail
requested_exp = "abc" # expires_in must be int >0
response = client.post(
"/google/service_accounts?expires_in={}".format(requested_exp),
headers={"Authorization": "Bearer " + encoded_creds_jwt},
data=json.dumps(valid_service_account),
content_type="application/json",
)
assert response.status_code == 400 # check if failure
