def test_shell(session, users, http_client, base_url, graph): user = users['*****@*****.**'] assert not get_user_metadata_by_key(session, user.id, USER_METADATA_SHELL_KEY) set_user_metadata(session, user.id, USER_METADATA_SHELL_KEY, "/bin/bash") graph.update_from_db(session) fe_url = url(base_url, '/users/{}'.format(user.username)) resp = yield http_client.fetch(fe_url) assert resp.code == 200 body = json.loads(resp.body) assert body["data"]["user"]["metadata"] != [], "There should be metadata" assert len(body["data"]["user"]["metadata"]) == 1, "There should only be 1 metadata!" assert body["data"]["user"]["metadata"][0]["data_key"] == "shell", "There should only be 1 metadata!" assert body["data"]["user"]["metadata"][0]["data_value"] == "/bin/bash", "The shell should be set to the correct value" set_user_metadata(session, user.id, USER_METADATA_SHELL_KEY, "/bin/zsh") graph.update_from_db(session) fe_url = url(base_url, '/users/{}'.format(user.username)) resp = yield http_client.fetch(fe_url) assert resp.code == 200 body = json.loads(resp.body) assert body["data"]["user"]["metadata"] != [], "There should be metadata" assert body["data"]["user"]["metadata"][0]["data_key"] == "shell", "There should only be 1 metadata!" assert body["data"]["user"]["metadata"][0]["data_value"] == "/bin/zsh", "The shell should be set to the correct value" assert len(body["data"]["user"]["metadata"]) == 1, "There should only be 1 metadata!"
def test_graph_desc_to_ances(session, graph, users, groups): # noqa """ Test adding members where all descendants already exist.""" setup_desc_to_ances(session, users, groups) session.commit() graph.update_from_db(session) assert get_users(graph, "team-sre") == set(["*****@*****.**", "*****@*****.**"]) assert get_users(graph, "tech-ops") == set(["*****@*****.**", "*****@*****.**"]) assert get_users(graph, "team-infra") == set(["*****@*****.**", "*****@*****.**"]) assert get_users(graph, "team-infra", cutoff=1) == set(["*****@*****.**"]) assert get_users(graph, "all-teams") == set(["*****@*****.**", "*****@*****.**", "*****@*****.**"]) assert get_users(graph, "all-teams", cutoff=1) == set(["*****@*****.**"]) assert get_groups(graph, "*****@*****.**") == set(["team-sre", "all-teams", "tech-ops", "team-infra"]) assert get_groups(graph, "*****@*****.**", cutoff=1) == set(["team-sre", "tech-ops", "team-infra"]) assert get_groups(graph, "*****@*****.**") == set(["team-sre", "all-teams", "tech-ops", "team-infra"]) assert get_groups(graph, "*****@*****.**", cutoff=1) == set(["team-sre", "tech-ops"]) assert get_groups(graph, "*****@*****.**") == set(["all-teams"]) assert get_groups(graph, "*****@*****.**", cutoff=1) == set(["all-teams"])
def test_passwords_api(session, users, http_client, base_url, graph): user = users['*****@*****.**'] TEST_PASSWORD = "******" add_new_user_password(session, "test", TEST_PASSWORD, user.id) assert len(user_passwords(session, user)) == 1, "The user should only have a single password" graph.update_from_db(session) c = Counter.get(session, name="updates") api_url = url(base_url, '/users/{}'.format(user.username)) resp = yield http_client.fetch(api_url) body = json.loads(resp.body) assert body["checkpoint"] == c.count, "The API response is not up to date" assert body["data"]["user"]["passwords"] != [], "The user should not have an empty passwords field" assert body["data"]["user"]["passwords"][0]["name"] == "test", "The password should have the same name" assert body["data"]["user"]["passwords"][0]["func"] == "crypt(3)-$6$", "This test does not support any hash functions other than crypt(3)-$6$" assert body["data"]["user"]["passwords"][0]["hash"] == crypt.crypt(TEST_PASSWORD, body["data"]["user"]["passwords"][0]["salt"]), "The hash should be the same as hashing the password and the salt together using the hashing function" assert body["data"]["user"]["passwords"][0]["hash"] != crypt.crypt("hello", body["data"]["user"]["passwords"][0]["salt"]), "The hash should not be the same as hashing the wrong password and the salt together using the hashing function" delete_user_password(session, "test", user.id) c = Counter.get(session, name="updates") graph.update_from_db(session) api_url = url(base_url, '/users/{}'.format(user.username)) resp = yield http_client.fetch(api_url) body = json.loads(resp.body) assert body["checkpoint"] == c.count, "The API response is not up to date" assert body["data"]["user"]["passwords"] == [], "The user should not have any passwords"
def test_user_disable(session, graph, users, user_admin_perm_to_auditors, http_client, base_url): username = u"*****@*****.**" old_groups = sorted(get_groups(graph, username)) # disable user fe_url = url(base_url, "/users/{}/disable".format(username)) resp = yield http_client.fetch(fe_url, method="POST", headers={"X-Grouper-User": "******"}, body=urlencode({})) assert resp.code == 200 # enable user, PRESERVE groups fe_url = url(base_url, "/users/{}/enable".format(username)) resp = yield http_client.fetch(fe_url, method="POST", headers={"X-Grouper-User": "******"}, body=urlencode({"preserve_membership": "true"})) assert resp.code == 200 graph.update_from_db(session) assert old_groups == sorted(get_groups(graph, username)), 'nothing should be removed' # disable and enable, PURGE groups fe_url = url(base_url, "/users/{}/disable".format(username)) resp = yield http_client.fetch(fe_url, method="POST", headers={"X-Grouper-User": "******"}, body=urlencode({})) assert resp.code == 200 fe_url = url(base_url, "/users/{}/enable".format(username)) resp = yield http_client.fetch(fe_url, method="POST", headers={"X-Grouper-User": "******"}, body=urlencode({})) assert resp.code == 200 graph.update_from_db(session) assert len(get_groups(graph, username)) == 0, 'all group membership should be removed'
def test_graph_desc_to_ances(session, graph, users, groups): # noqa """ Test adding members where all descendants already exist.""" setup_desc_to_ances(session, users, groups) session.commit() graph.update_from_db(session) assert get_users(graph, "team-sre") == set(["*****@*****.**", "*****@*****.**"]) assert get_users(graph, "tech-ops") == set(["*****@*****.**", "*****@*****.**"]) assert get_users(graph, "team-infra") == set(["*****@*****.**", "*****@*****.**"]) assert get_users(graph, "team-infra", cutoff=1) == set(["*****@*****.**"]) assert get_users(graph, "all-teams") == set( ["*****@*****.**", "*****@*****.**", "*****@*****.**"]) assert get_users(graph, "all-teams", cutoff=1) == set(["*****@*****.**"]) assert get_groups(graph, "*****@*****.**") == set( ["team-sre", "all-teams", "tech-ops", "team-infra"]) assert get_groups(graph, "*****@*****.**", cutoff=1) == set(["team-sre", "tech-ops", "team-infra"]) assert get_groups(graph, "*****@*****.**") == set( ["team-sre", "all-teams", "tech-ops", "team-infra"]) assert get_groups(graph, "*****@*****.**", cutoff=1) == set(["team-sre", "tech-ops"]) assert get_groups(graph, "*****@*****.**") == set(["all-teams"]) assert get_groups(graph, "*****@*****.**", cutoff=1) == set(["all-teams"])
def test_graph_edit_role(session, graph, standard_graph, groups, users): """Test that membership role changes are refected in the graph.""" username = "******" user_role = graph.get_group_details("tech-ops")["users"][username]["rolename"] assert user_role == "np-owner" groups["tech-ops"].edit_member(users["*****@*****.**"], users[username], "a reason", role="owner") graph.update_from_db(session) user_role = graph.get_group_details("tech-ops")["users"][username]["rolename"] assert user_role == "owner"
def test_tags(session, users, http_client, base_url, graph): user = session.query(User).filter_by(username="******").scalar() perm = Permission(name=TAG_EDIT, description="Why is this not nullable?") perm.add(session) session.commit() perm2 = Permission(name="it.literally.does.not.matter", description="Why is this not nullable?") perm2.add(session) session.commit() grant_permission(session.query(Group).filter_by(groupname="all-teams").scalar(), session.query(Permission).filter_by(name=TAG_EDIT).scalar(), "*") grant_permission(session.query(Group).filter_by(groupname="all-teams").scalar(), session.query(Permission).filter_by(name="it.literally.does.not.matter").scalar(), "*") tag = PublicKeyTag(name="tyler_was_here") tag.add(session) session.commit() tag = PublicKeyTag.get(session, name="tyler_was_here") user = session.query(User).filter_by(username="******").scalar() grant_permission_to_tag(session, tag.id, perm.id, "prod") user = session.query(User).filter_by(username="******").scalar() add_public_key(session, user, key1) key = session.query(PublicKey).filter_by(user_id=user.id).scalar() user = session.query(User).filter_by(username="******").scalar() add_tag_to_public_key(session, key, tag) user = session.query(User).filter_by(username="******").scalar() key = session.query(PublicKey).filter_by(user_id=user.id).scalar() assert len(get_public_key_permissions(session, key)) == 1, "The SSH Key should have only 1 permission" assert get_public_key_permissions(session, key)[0].name == TAG_EDIT, "The SSH key's permission should be TAG_EDIT" assert get_public_key_permissions(session, key)[0].argument == "prod", "The SSH key's permission argument should be restricted to the tag's argument" assert len(user_permissions(session, user)) > 1, "The user should have more than 1 permission" graph.update_from_db(session) fe_url = url(base_url, '/users/{}'.format(user.username)) resp = yield http_client.fetch(fe_url) assert resp.code == 200 body = json.loads(resp.body) pub_key = body['data']['user']['public_keys'][0] assert len(pub_key['tags']) == 1, "The public key should only have 1 tag" assert pub_key['tags'][0] == 'tyler_was_here', "The public key should have the tag we gave it"
def test_tags(session, http_client, base_url, graph): perm = Permission(name=TAG_EDIT, description="Why is this not nullable?") perm.add(session) session.commit() perm2 = Permission(name="it.literally.does.not.matter", description="Why is this not nullable?") perm2.add(session) session.commit() grant_permission(session.query(Group).filter_by(groupname="all-teams").scalar(), session.query(Permission).filter_by(name=TAG_EDIT).scalar(), "*") grant_permission(session.query(Group).filter_by(groupname="all-teams").scalar(), session.query(Permission).filter_by(name="it.literally.does.not.matter").scalar(), "*") tag = PublicKeyTag(name="tyler_was_here") tag.add(session) session.commit() tag = PublicKeyTag.get(session, name="tyler_was_here") grant_permission_to_tag(session, tag.id, perm.id, "prod") with pytest.raises(AssertionError): grant_permission_to_tag(session, tag.id, perm.id, "question?") user = session.query(User).filter_by(username="******").scalar() add_public_key(session, user, SSH_KEY_1) key = session.query(PublicKey).filter_by(user_id=user.id).scalar() add_tag_to_public_key(session, key, tag) user = session.query(User).filter_by(username="******").scalar() key = session.query(PublicKey).filter_by(user_id=user.id).scalar() assert len(get_public_key_permissions(session, key)) == 1, "The SSH Key should have only 1 permission" assert get_public_key_permissions(session, key)[0].name == TAG_EDIT, "The SSH key's permission should be TAG_EDIT" assert get_public_key_permissions(session, key)[0].argument == "prod", "The SSH key's permission argument should be restricted to the tag's argument" assert len(user_permissions(session, user)) > 1, "The user should have more than 1 permission" graph.update_from_db(session) fe_url = url(base_url, '/users/{}'.format(user.username)) resp = yield http_client.fetch(fe_url) assert resp.code == 200 body = json.loads(resp.body) pub_key = body['data']['user']['public_keys'][0] assert len(pub_key['tags']) == 1, "The public key should only have 1 tag" assert pub_key['fingerprint'] == 'e9:ae:c5:8f:39:9b:3a:9c:6a:b8:33:6b:cb:6f:ba:35' assert pub_key['fingerprint_sha256'] == 'MP9uWaujW96EWxbjDtPdPWheoMDu6BZ8FZj0+CBkVWU' assert pub_key['tags'][0] == 'tyler_was_here', "The public key should have the tag we gave it"
def test_grant_and_revoke(session, standard_graph, graph, groups, permissions, http_client, base_url): """Test that permission grant and revokes are reflected correctly.""" group_name = "team-sre" permission_name = "sudo" user_name = "*****@*****.**" def _check_graph_for_perm(graph): return any(map(lambda x: x.permission == permission_name, graph.permission_metadata[group_name])) # make some permission admins perm_admin, _ = Permission.get_or_create(session, name=PERMISSION_ADMIN, description="") session.commit() grant_permission(groups["security-team"], perm_admin) # grant attempt by non-permission admin fe_url = url(base_url, "/permissions/grant/{}".format(group_name)) with pytest.raises(HTTPError): yield http_client.fetch(fe_url, method="POST", body=urlencode({"permission": permission_name, "argument": "specific_arg"}), headers={'X-Grouper-User': "******"}) graph.update_from_db(session) assert not _check_graph_for_perm(graph), "no permissions granted" # grant by permission admin resp = yield http_client.fetch(fe_url, method="POST", body=urlencode({"permission": permission_name, "argument": "specific_arg"}), headers={'X-Grouper-User': user_name}) assert resp.code == 200 graph.update_from_db(session) assert _check_graph_for_perm(graph), "permissions granted, successfully" # figure out mapping_id of grant permission_id = Permission.get(session, name=permission_name).id group_id = Group.get(session, name=group_name).id mapping = session.query(PermissionMap).filter( PermissionMap.permission_id == permission_id, PermissionMap.group_id == group_id).first() # revoke permission by non-admin fe_url = url(base_url, "/permissions/{}/revoke/{}".format(permission_name, mapping.id)) with pytest.raises(HTTPError): yield http_client.fetch(fe_url, method="POST", body=urlencode({}), headers={'X-Grouper-User': "******"}) graph.update_from_db(session) assert _check_graph_for_perm(graph), "permissions not revoked" # revoke permission for realz resp = yield http_client.fetch(fe_url, method="POST", body=urlencode({}), headers={'X-Grouper-User': user_name}) assert resp.code == 200 graph.update_from_db(session) assert not _check_graph_for_perm(graph), "permissions revoked successfully"
def test_graph_disable(session, graph, users, groups, user_admin_perm_to_auditors, http_client, base_url): graph.update_from_db(session) old_users = graph.users assert sorted(old_users) == sorted(users.keys()) # disable a user username = u"*****@*****.**" fe_url = url(base_url, "/users/{}/disable".format(username)) resp = yield http_client.fetch(fe_url, method="POST", headers={"X-Grouper-User": "******"}, body=urlencode({})) assert resp.code == 200 graph.update_from_db(session) assert len(graph.users) == (len(old_users) - 1), 'disabled user removed from graph' assert username not in graph.users
def test_graph_cycle_indirect(session, graph, users, groups): # noqa """ Test adding a member that will create a cycle. gary zay testuser | | | sre <----- tech-ops <----- team-infra <-- | | | | --------> all-teams -------------------- """ add_member(groups["team-sre"], users["*****@*****.**"]) add_member(groups["tech-ops"], users["*****@*****.**"]) add_member(groups["team-infra"], users["*****@*****.**"]) add_member(groups["team-sre"], groups["tech-ops"]) add_member(groups["tech-ops"], groups["team-infra"]) add_member(groups["team-infra"], groups["all-teams"]) add_member(groups["all-teams"], groups["team-sre"]) session.commit() graph.update_from_db(session) all_users = set(["*****@*****.**", "*****@*****.**", "*****@*****.**"]) all_groups = set(["team-sre", "all-teams", "tech-ops", "team-infra"]) assert get_users(graph, "team-sre") == all_users assert get_users(graph, "team-sre", cutoff=1) == set(["*****@*****.**"]) assert get_users(graph, "tech-ops") == all_users assert get_users(graph, "tech-ops", cutoff=1) == set(["*****@*****.**"]) assert get_users(graph, "team-infra") == all_users assert get_users(graph, "team-infra", cutoff=1) == set(["*****@*****.**"]) assert get_users(graph, "all-teams") == all_users assert get_users(graph, "all-teams", cutoff=1) == set([]) assert get_groups(graph, "*****@*****.**") == all_groups assert get_groups(graph, "*****@*****.**", cutoff=1) == set(["team-sre"]) assert get_groups(graph, "*****@*****.**") == all_groups assert get_groups(graph, "*****@*****.**", cutoff=1) == set(["tech-ops"]) assert get_groups(graph, "*****@*****.**") == all_groups assert get_groups(graph, "*****@*****.**", cutoff=1) == set(["team-infra"])
def test_graph_disable(session, graph, groups, http_client, base_url): # noqa """ Test that disabled groups work with the graph as expected.""" groupname = u'serving-team' graph.update_from_db(session) old_groups = graph.groups assert sorted(old_groups) == sorted(groups.keys()) assert groupname in graph.permission_metadata # disable a group fe_url = url(base_url, '/groups/{}/disable'.format(groupname)) resp = yield http_client.fetch(fe_url, method="POST", headers={"X-Grouper-User": "******"}, body=urlencode({"name": groupname})) assert resp.code == 200 graph.update_from_db(session) assert len(graph.groups) == (len(old_groups) - 1), 'disabled group removed from graph' assert groupname not in graph.groups assert groupname not in graph.permission_metadata
def test_graph_add_member_existing(session, graph, users, groups): # noqa """ Test adding members to an existing relationship.""" add_member(groups["team-sre"], users["*****@*****.**"], role="owner") add_member(groups["tech-ops"], users["*****@*****.**"], role="owner") add_member(groups["team-infra"], users["*****@*****.**"], role="owner") add_member(groups["team-infra"], groups["team-sre"]) add_member(groups["team-infra"], groups["tech-ops"]) add_member(groups["all-teams"], users["*****@*****.**"], role="owner") add_member(groups["all-teams"], groups["team-infra"]) add_member(groups["team-sre"], users["*****@*****.**"]) add_member(groups["tech-ops"], users["*****@*****.**"]) session.commit() graph.update_from_db(session) assert get_users(graph, "team-sre") == set(["*****@*****.**", "*****@*****.**"]) assert get_users(graph, "tech-ops") == set(["*****@*****.**", "*****@*****.**"]) assert get_users(graph, "team-infra") == set(["*****@*****.**", "*****@*****.**"]) assert get_users(graph, "team-infra", cutoff=1) == set(["*****@*****.**"]) assert get_users(graph, "all-teams") == set( ["*****@*****.**", "*****@*****.**", "*****@*****.**"]) assert get_users(graph, "all-teams", cutoff=1) == set(["*****@*****.**"]) assert get_groups(graph, "*****@*****.**") == set( ["team-sre", "all-teams", "tech-ops", "team-infra"]) assert get_groups(graph, "*****@*****.**", cutoff=1) == set(["team-sre", "tech-ops", "team-infra"]) assert get_groups(graph, "*****@*****.**") == set( ["team-sre", "all-teams", "tech-ops", "team-infra"]) assert get_groups(graph, "*****@*****.**", cutoff=1) == set(["team-sre", "tech-ops"]) assert get_groups(graph, "*****@*****.**") == set(["all-teams"]) assert get_groups(graph, "*****@*****.**", cutoff=1) == set(["all-teams"])
def test_graph_cycle_direct(session, graph, users, groups): # noqa """ Test adding members where all descendants already exist.""" add_member(groups["team-sre"], users["*****@*****.**"]) add_member(groups["tech-ops"], users["*****@*****.**"]) add_member(groups["team-sre"], groups["tech-ops"]) add_member(groups["tech-ops"], groups["team-sre"]) session.commit() graph.update_from_db(session) assert get_users(graph, "team-sre") == set(["*****@*****.**", "*****@*****.**"]) assert get_users(graph, "team-sre", cutoff=1) == set(["*****@*****.**"]) assert get_users(graph, "tech-ops") == set(["*****@*****.**", "*****@*****.**"]) assert get_users(graph, "tech-ops", cutoff=1) == set(["*****@*****.**"]) assert get_groups(graph, "*****@*****.**") == set(["team-sre", "tech-ops"]) assert get_groups(graph, "*****@*****.**", cutoff=1) == set(["team-sre"]) assert get_groups(graph, "*****@*****.**") == set(["team-sre", "tech-ops"]) assert get_groups(graph, "*****@*****.**", cutoff=1) == set(["tech-ops"])
def test_basic_permission(standard_graph, session, users, groups, permissions): # noqa """ Test adding some permissions to various groups and ensuring that the permissions are all implemented as expected. This also tests permissions inheritance in the graph. """ graph = standard_graph # noqa grant_permission(groups["team-sre"], permissions["ssh"], argument="*") grant_permission(groups["tech-ops"], permissions["ssh"], argument="shell") grant_permission(groups["team-infra"], permissions["sudo"], argument="shell") session.commit() graph.update_from_db(session) assert sorted(get_group_permissions(graph, "team-sre")) == ["ssh:*", "sudo:shell"] assert sorted(get_group_permissions(graph, "tech-ops")) == ["ssh:shell", "sudo:shell"] assert sorted(get_group_permissions(graph, "team-infra")) == ["sudo:shell"] assert sorted(get_group_permissions(graph, "all-teams")) == [] assert sorted(get_user_permissions(graph, "gary")) == ["ssh:*", "ssh:shell", "sudo:shell"] assert sorted(get_user_permissions(graph, "zay")) == ["ssh:*", "ssh:shell", "sudo:shell"] assert sorted(get_user_permissions(graph, "zorkian")) == ["ssh:*", "sudo:shell"] assert sorted(get_user_permissions(graph, "testuser")) == []
def test_graph_add_member_existing(session, graph, users, groups): # noqa """ Test adding members to an existing relationship.""" add_member(groups["team-sre"], users["*****@*****.**"], role="owner") add_member(groups["tech-ops"], users["*****@*****.**"], role="owner") add_member(groups["team-infra"], users["*****@*****.**"], role="owner") add_member(groups["team-infra"], groups["team-sre"]) add_member(groups["team-infra"], groups["tech-ops"]) add_member(groups["all-teams"], users["*****@*****.**"], role="owner") add_member(groups["all-teams"], groups["team-infra"]) add_member(groups["team-sre"], users["*****@*****.**"]) add_member(groups["tech-ops"], users["*****@*****.**"]) session.commit() graph.update_from_db(session) assert get_users(graph, "team-sre") == set(["*****@*****.**", "*****@*****.**"]) assert get_users(graph, "tech-ops") == set(["*****@*****.**", "*****@*****.**"]) assert get_users(graph, "team-infra") == set(["*****@*****.**", "*****@*****.**"]) assert get_users(graph, "team-infra", cutoff=1) == set(["*****@*****.**"]) assert get_users(graph, "all-teams") == set(["*****@*****.**", "*****@*****.**", "*****@*****.**"]) assert get_users(graph, "all-teams", cutoff=1) == set(["*****@*****.**"]) assert get_groups(graph, "*****@*****.**") == set(["team-sre", "all-teams", "tech-ops", "team-infra"]) assert get_groups(graph, "*****@*****.**", cutoff=1) == set(["team-sre", "tech-ops", "team-infra"]) assert get_groups(graph, "*****@*****.**") == set(["team-sre", "all-teams", "tech-ops", "team-infra"]) assert get_groups(graph, "*****@*****.**", cutoff=1) == set(["team-sre", "tech-ops"]) assert get_groups(graph, "*****@*****.**") == set(["all-teams"]) assert get_groups(graph, "*****@*****.**", cutoff=1) == set(["all-teams"])
def test_graph_with_removes(session, graph, users, groups): # noqa """ Test adding members where all descendants already exist.""" setup_desc_to_ances(session, users, groups) groups["team-infra"].revoke_member(users["gary"], users["gary"], "Unit Testing") session.commit() graph.update_from_db(session) assert get_users(graph, "team-sre") == set(["gary", "zay"]) assert get_users(graph, "tech-ops") == set(["gary", "zay"]) assert get_users(graph, "team-infra") == set(["gary", "zay"]) assert get_users(graph, "team-infra", cutoff=1) == set() assert get_users(graph, "all-teams") == set(["gary", "zay", "testuser"]) assert get_users(graph, "all-teams", cutoff=1) == set(["testuser"]) assert get_groups(graph, "gary") == set(["team-sre", "all-teams", "tech-ops", "team-infra"]) assert get_groups(graph, "gary", cutoff=1) == set(["team-sre", "tech-ops"]) assert get_groups(graph, "zay") == set(["team-sre", "all-teams", "tech-ops", "team-infra"]) assert get_groups(graph, "zay", cutoff=1) == set(["team-sre", "tech-ops"]) assert get_groups(graph, "testuser") == set(["all-teams"]) assert get_groups(graph, "testuser", cutoff=1) == set(["all-teams"]) groups["all-teams"].revoke_member(users["gary"], groups["team-infra"], "Unit Testing") session.commit() graph.update_from_db(session) assert get_users(graph, "team-sre") == set(["gary", "zay"]) assert get_users(graph, "tech-ops") == set(["gary", "zay"]) assert get_users(graph, "team-infra") == set(["gary", "zay"]) assert get_users(graph, "team-infra", cutoff=1) == set([]) assert get_users(graph, "all-teams") == set(["testuser"]) assert get_users(graph, "all-teams", cutoff=1) == set(["testuser"]) assert get_groups(graph, "gary") == set(["team-sre", "tech-ops", "team-infra"]) assert get_groups(graph, "gary", cutoff=1) == set(["team-sre", "tech-ops"]) assert get_groups(graph, "zay") == set(["team-sre", "tech-ops", "team-infra"]) assert get_groups(graph, "zay", cutoff=1) == set(["team-sre", "tech-ops"]) assert get_groups(graph, "testuser") == set(["all-teams"]) assert get_groups(graph, "testuser", cutoff=1) == set(["all-teams"]) groups["team-infra"].revoke_member(users["gary"], groups["tech-ops"], "Unit Testing") session.commit() graph.update_from_db(session) assert get_users(graph, "team-sre") == set(["gary", "zay"]) assert get_users(graph, "tech-ops") == set(["gary", "zay"]) assert get_users(graph, "team-infra") == set(["gary", "zay"]) assert get_users(graph, "team-infra", cutoff=1) == set([]) assert get_users(graph, "all-teams") == set(["testuser"]) assert get_users(graph, "all-teams", cutoff=1) == set(["testuser"]) assert get_groups(graph, "gary") == set(["team-sre", "tech-ops", "team-infra"]) assert get_groups(graph, "gary", cutoff=1) == set(["team-sre", "tech-ops"]) assert get_groups(graph, "zay") == set(["team-sre", "tech-ops", "team-infra"]) assert get_groups(graph, "zay", cutoff=1) == set(["team-sre", "tech-ops"]) assert get_groups(graph, "testuser") == set(["all-teams"]) assert get_groups(graph, "testuser", cutoff=1) == set(["all-teams"])
def test_audit_end_to_end(session, users, groups, http_client, base_url, graph): # noqa """ Tests an end-to-end audit cycle. """ groupname = "audited-team" zay_id = users["*****@*****.**"].id gary_id = users["*****@*****.**"].id # make everyone an auditor or global audit will have issues add_member(groups["auditors"], users["*****@*****.**"]) add_member(groups["auditors"], users["*****@*****.**"]) add_member(groups["auditors"], users["*****@*****.**"]) add_member(groups["auditors"], users["*****@*****.**"]) # add some users to test removal add_member(groups[groupname], users["*****@*****.**"]) add_member(groups[groupname], users["*****@*****.**"]) graph.update_from_db(session) # start the audit end_at_str = (datetime.now() + timedelta(days=10)).strftime("%m/%d/%Y") fe_url = url(base_url, "/audits/create") resp = yield http_client.fetch( fe_url, method="POST", body=urlencode({"ends_at": end_at_str}), headers={"X-Grouper-User": "******"} ) assert resp.code == 200 open_audits = get_audits(session, only_open=True).all() assert len(open_audits) == 4, "audits created" assert groupname in [x.group.name for x in open_audits], "group we expect also gets audit" # pull all the info we need to resolve audits, avoids detached sqlalchemy sessions AuditMember = namedtuple("AuditMember", "am_id, edge_type, edge_id") Audit = namedtuple("Audit", "audit_id, owner_name, group_name, audit_members") all_group_ids = [x.group.id for x in open_audits] open_audits = [ Audit( x.id, x.group.my_owners().iterkeys().next(), x.group.name, [AuditMember(am.id, am.edge.member_type, am.edge_id) for am in x.my_members()], ) for x in open_audits ] # approve everything but the one we added members to for one_audit in open_audits: fe_url = url(base_url, "/audits/{}/complete".format(one_audit.audit_id)) if one_audit.group_name == groupname: continue # blanket approval body = urlencode({"audit_{}".format(am.am_id): "approved" for am in one_audit.audit_members}) resp = yield http_client.fetch( fe_url, method="POST", body=body, headers={"X-Grouper-User": one_audit.owner_name} ) assert resp.code == 200 open_audits = get_audits(session, only_open=True).all() assert len(open_audits) == 1, "only our test group remaining" one_audit = open_audits[0] one_audit.id body_dict = {} for am in one_audit.my_members(): if gary_id == am.member.id: # deny body_dict["audit_{}".format(am.id)] = "remove" else: # approve body_dict["audit_{}".format(am.id)] = "approved" owner_name = one_audit.group.my_owners().iterkeys().next() fe_url = url(base_url, "/audits/{}/complete".format(one_audit.id)) resp = yield http_client.fetch( fe_url, method="POST", body=urlencode(body_dict), headers={"X-Grouper-User": owner_name} ) assert resp.code == 200 # check all the logs assert len(AuditLog.get_entries(session, action="start_audit")) == 1, "global start is logged" assert len(AuditLog.get_entries(session, action="complete_global_audit")) == 1, "global complete is logged" for group_id in all_group_ids: assert ( len( AuditLog.get_entries( session, on_group_id=group_id, action="complete_audit", category=AuditLogCategory.audit ) ) == 1 ), "complete entry for each group" assert ( len(AuditLog.get_entries(session, on_user_id=gary_id, category=AuditLogCategory.audit)) == 1 ), "removal AuditLog entry on user"
def test_graph_with_removes(session, graph, users, groups): # noqa """ Test adding members where all descendants already exist.""" setup_desc_to_ances(session, users, groups) groups["team-infra"].revoke_member(users["gary"], users["gary"], "Unit Testing") session.commit() graph.update_from_db(session) assert get_users(graph, "team-sre") == set(["gary", "zay"]) assert get_users(graph, "tech-ops") == set(["gary", "zay"]) assert get_users(graph, "team-infra") == set(["gary", "zay"]) assert get_users(graph, "team-infra", cutoff=1) == set() assert get_users(graph, "all-teams") == set(["gary", "zay", "testuser"]) assert get_users(graph, "all-teams", cutoff=1) == set(["testuser"]) assert get_groups(graph, "gary") == set( ["team-sre", "all-teams", "tech-ops", "team-infra"]) assert get_groups(graph, "gary", cutoff=1) == set(["team-sre", "tech-ops"]) assert get_groups(graph, "zay") == set( ["team-sre", "all-teams", "tech-ops", "team-infra"]) assert get_groups(graph, "zay", cutoff=1) == set(["team-sre", "tech-ops"]) assert get_groups(graph, "testuser") == set(["all-teams"]) assert get_groups(graph, "testuser", cutoff=1) == set(["all-teams"]) groups["all-teams"].revoke_member(users["gary"], groups["team-infra"], "Unit Testing") session.commit() graph.update_from_db(session) assert get_users(graph, "team-sre") == set(["gary", "zay"]) assert get_users(graph, "tech-ops") == set(["gary", "zay"]) assert get_users(graph, "team-infra") == set(["gary", "zay"]) assert get_users(graph, "team-infra", cutoff=1) == set([]) assert get_users(graph, "all-teams") == set(["testuser"]) assert get_users(graph, "all-teams", cutoff=1) == set(["testuser"]) assert get_groups(graph, "gary") == set(["team-sre", "tech-ops", "team-infra"]) assert get_groups(graph, "gary", cutoff=1) == set(["team-sre", "tech-ops"]) assert get_groups(graph, "zay") == set(["team-sre", "tech-ops", "team-infra"]) assert get_groups(graph, "zay", cutoff=1) == set(["team-sre", "tech-ops"]) assert get_groups(graph, "testuser") == set(["all-teams"]) assert get_groups(graph, "testuser", cutoff=1) == set(["all-teams"]) groups["team-infra"].revoke_member(users["gary"], groups["tech-ops"], "Unit Testing") session.commit() graph.update_from_db(session) assert get_users(graph, "team-sre") == set(["gary", "zay"]) assert get_users(graph, "tech-ops") == set(["gary", "zay"]) assert get_users(graph, "team-infra") == set(["gary", "zay"]) assert get_users(graph, "team-infra", cutoff=1) == set([]) assert get_users(graph, "all-teams") == set(["testuser"]) assert get_users(graph, "all-teams", cutoff=1) == set(["testuser"]) assert get_groups(graph, "gary") == set(["team-sre", "tech-ops", "team-infra"]) assert get_groups(graph, "gary", cutoff=1) == set(["team-sre", "tech-ops"]) assert get_groups(graph, "zay") == set(["team-sre", "tech-ops", "team-infra"]) assert get_groups(graph, "zay", cutoff=1) == set(["team-sre", "tech-ops"]) assert get_groups(graph, "testuser") == set(["all-teams"]) assert get_groups(graph, "testuser", cutoff=1) == set(["all-teams"])
def test_expire_nonauditors(standard_graph, users, groups, session, permissions): """ Test expiration auditing and notification. """ graph = standard_graph # noqa # Test audit autoexpiration for all approvers approver_roles = ["owner", "np-owner", "manager"] for role in approver_roles: # Add non-auditor as an owner to an audited group add_member(groups["audited-team"], users["*****@*****.**"], role=role) session.commit() graph.update_from_db(session) group_md = graph.get_group_details("audited-team") assert group_md.get('audited', False) # Expire the edges. background = BackgroundThread(settings, None) background.expire_nonauditors(session) # Check that the edges are now marked as inactive. edge = session.query(GroupEdge).filter_by(group_id=groups["audited-team"].id, member_pk=users["*****@*****.**"].id).scalar() assert edge.expiration is not None assert edge.expiration < datetime.utcnow() + timedelta(days=settings.nonauditor_expiration_days) assert edge.expiration > datetime.utcnow() + timedelta(days=settings.nonauditor_expiration_days - 1) assert any(["Subject: Membership in audited-team set to expire" in email.body and "To: [email protected]" in email.body for email in _get_unsent_emails_and_send(session)]) audits = AuditLog.get_entries(session, action="nonauditor_flagged") assert len(audits) == 3 + 1 * (approver_roles.index(role) + 1) revoke_member(groups["audited-team"], users["*****@*****.**"]) # Ensure nonauditor, nonapprovers in audited groups do not get set to expired member_roles = ["member"] for role in member_roles: # Add non-auditor as an owner to an audited group add_member(groups["audited-team"], users["*****@*****.**"], role=role) session.commit() graph.update_from_db(session) group_md = graph.get_group_details("audited-team") assert group_md.get('audited', False) # Expire the edges. background = BackgroundThread(settings, None) background.expire_nonauditors(session) # Check that the edges are now marked as inactive. edge = session.query(GroupEdge).filter_by(group_id=groups["audited-team"].id, member_pk=users["*****@*****.**"].id).scalar() assert edge.expiration is None assert not any(["Subject: Membership in audited-team set to expire" in email.body and "To: [email protected]" in email.body for email in _get_unsent_emails_and_send(session)]) audits = AuditLog.get_entries(session, action="nonauditor_flagged") assert len(audits) == 3 + 1 * len(approver_roles) revoke_member(groups["audited-team"], users["*****@*****.**"])