def test_edit_tag(users, http_client, base_url, session):
user = session.query(User).filter_by(username="******").scalar()
perm = Permission(name=TAG_EDIT, description="Why is this not nullable?")
perm.add(session)
session.commit()
grant_permission(session.query(Group).filter_by(groupname="all-teams").scalar(), session.query(Permission).filter_by(name=TAG_EDIT).scalar(), "*")
fe_url = url(base_url, '/tags')
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'tagname': "tyler_was_here", "description": "Test Tag Please Ignore"}),
headers={'X-Grouper-User': user.username})
tag = PublicKeyTag.get(session, name="tyler_was_here")
assert tag.description == "Test Tag Please Ignore", "The description should match what we created it with"
user = session.query(User).filter_by(username="******").scalar()
fe_url = url(base_url, '/tags/{}/edit'.format(tag.id))
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({"description": "Don't tag me bro"}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
tag = PublicKeyTag.get(session, name="tyler_was_here")
assert tag.description == "Don't tag me bro", "The description should have been updated"
def post(self):
form = TagCreateForm(self.request.arguments)
if not form.validate():
return self.render(
"tag-create.html", form=form,
alerts=self.get_form_alerts(form.errors)
)
tag = PublicKeyTag(
name=form.data["tagname"],
description=form.data["description"],
)
try:
tag.add(self.session)
self.session.flush()
except IntegrityError:
self.session.rollback()
form.tagname.errors.append(
"{} already exists".format(form.data["tagname"])
)
return self.render(
"tag-create.html", form=form,
alerts=self.get_form_alerts(form.errors)
)
Counter.incr(self.session, "updates")
self.session.commit()
AuditLog.log(self.session, self.current_user.id, 'create_tag',
'Created new tag.', on_tag_id=tag.id)
return self.redirect("/tags/{}?refresh=yes".format(tag.name))
def post(self):
form = TagCreateForm(self.request.arguments)
if not form.validate():
return self.render(
"tag-create.html", form=form, alerts=self.get_form_alerts(form.errors)
)
tag = PublicKeyTag(name=form.data["tagname"], description=form.data["description"])
try:
tag.add(self.session)
self.session.flush()
except IntegrityError:
self.session.rollback()
form.tagname.errors.append("{} already exists".format(form.data["tagname"]))
return self.render(
"tag-create.html", form=form, alerts=self.get_form_alerts(form.errors)
)
Counter.incr(self.session, "updates")
self.session.commit()
AuditLog.log(
self.session, self.current_user.id, "create_tag", "Created new tag.", on_tag_id=tag.id
)
return self.redirect("/tags/{}?refresh=yes".format(tag.name))
def test_grant_permission_to_tag(users, http_client, base_url, session): # noqa: F811
user = session.query(User).filter_by(username="******").scalar()
perm = create_permission(session, TAG_EDIT)
session.commit()
grant_permission(
session.query(Group).filter_by(groupname="all-teams").scalar(),
get_permission(session, TAG_EDIT),
"*",
)
fe_url = url(base_url, "/tags")
resp = yield http_client.fetch(
fe_url,
method="POST",
body=urlencode({"tagname": "tyler_was_here", "description": "Test Tag Please Ignore"}),
headers={"X-Grouper-User": user.username},
)
tag = PublicKeyTag.get(session, name="tyler_was_here")
user = session.query(User).filter_by(username="******").scalar()
fe_url = url(base_url, "/permissions/grant_tag/{}".format(tag.name))
resp = yield http_client.fetch(
fe_url,
method="POST",
body=urlencode({"permission": TAG_EDIT, "argument": "*"}),
headers={"X-Grouper-User": user.username},
)
assert resp.code == 200
tag = PublicKeyTag.get(session, name="tyler_was_here")
perm = get_permission(session, TAG_EDIT)
assert (
len(get_public_key_tag_permissions(session, tag)) == 1
), "The tag should have exactly 1 permission"
assert (
get_public_key_tag_permissions(session, tag)[0].name == perm.name
), "The tag's permission should be the one we added"
assert (
get_public_key_tag_permissions(session, tag)[0].argument == "*"
), "The tag's permission should be the one we added"
# Make sure trying to add a permission to a tag doesn't fail horribly if it's already there
user = session.query(User).filter_by(username="******").scalar()
fe_url = url(base_url, "/permissions/grant_tag/{}".format(tag.name))
resp = yield http_client.fetch(
fe_url,
method="POST",
body=urlencode({"permission": TAG_EDIT, "argument": "*"}),
headers={"X-Grouper-User": user.username},
)
assert resp.code == 200
def test_revoke_permission_from_tag(users, http_client, base_url, session):
user = session.query(User).filter_by(username="******").scalar()
perm = Permission(name=TAG_EDIT, description="Why is this not nullable?")
perm.add(session)
session.commit()
grant_permission(
session.query(Group).filter_by(groupname="all-teams").scalar(),
session.query(Permission).filter_by(name=TAG_EDIT).scalar(), "*")
fe_url = url(base_url, '/tags')
resp = yield http_client.fetch(fe_url,
method="POST",
body=urlencode({
'tagname':
"tyler_was_here",
"description":
"Test Tag Please Ignore"
}),
headers={'X-Grouper-User': user.username})
tag = PublicKeyTag.get(session, name="tyler_was_here")
user = session.query(User).filter_by(username="******").scalar()
fe_url = url(base_url, '/permissions/grant_tag/{}'.format(tag.name))
resp = yield http_client.fetch(fe_url,
method="POST",
body=urlencode({
'permission': TAG_EDIT,
"argument": "*"
}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
tag = PublicKeyTag.get(session, name="tyler_was_here")
perm = Permission.get(session, TAG_EDIT)
assert len(get_public_key_tag_permissions(
session, tag)) == 1, "The tag should have exactly 1 permission"
user = session.query(User).filter_by(username="******").scalar()
mapping = get_public_key_tag_permissions(session, tag)[0]
fe_url = url(
base_url,
'/permissions/{}/revoke_tag/{}'.format(TAG_EDIT, mapping.mapping_id))
resp = yield http_client.fetch(fe_url,
method="POST",
body="",
headers={'X-Grouper-User': user.username})
assert resp.code == 200
tag = PublicKeyTag.get(session, name="tyler_was_here")
assert len(get_public_key_tag_permissions(
session, tag)) == 0, "The tag should have no permissions"
def test_revoke_permission_from_tag(users, http_client, base_url, session): # noqa: F811
user = session.query(User).filter_by(username="******").scalar()
create_permission(session, TAG_EDIT)
session.commit()
grant_permission(
session.query(Group).filter_by(groupname="all-teams").scalar(),
get_permission(session, TAG_EDIT),
"*",
)
fe_url = url(base_url, "/tags")
resp = yield http_client.fetch(
fe_url,
method="POST",
body=urlencode({"tagname": "tyler_was_here", "description": "Test Tag Please Ignore"}),
headers={"X-Grouper-User": user.username},
)
tag = PublicKeyTag.get(session, name="tyler_was_here")
user = session.query(User).filter_by(username="******").scalar()
fe_url = url(base_url, "/permissions/grant_tag/{}".format(tag.name))
resp = yield http_client.fetch(
fe_url,
method="POST",
body=urlencode({"permission": TAG_EDIT, "argument": "*"}),
headers={"X-Grouper-User": user.username},
)
assert resp.code == 200
tag = PublicKeyTag.get(session, name="tyler_was_here")
get_permission(session, TAG_EDIT)
assert (
len(get_public_key_tag_permissions(session, tag)) == 1
), "The tag should have exactly 1 permission"
user = session.query(User).filter_by(username="******").scalar()
mapping = get_public_key_tag_permissions(session, tag)[0]
fe_url = url(base_url, "/permissions/{}/revoke_tag/{}".format(TAG_EDIT, mapping.mapping_id))
resp = yield http_client.fetch(
fe_url, method="POST", body="", headers={"X-Grouper-User": user.username}
)
assert resp.code == 200
tag = PublicKeyTag.get(session, name="tyler_was_here")
assert (
len(get_public_key_tag_permissions(session, tag)) == 0
), "The tag should have no permissions"
def test_tags(session, users, http_client, base_url, graph):
user = session.query(User).filter_by(username="******").scalar()
perm = Permission(name=TAG_EDIT, description="Why is this not nullable?")
perm.add(session)
session.commit()
perm2 = Permission(name="it.literally.does.not.matter", description="Why is this not nullable?")
perm2.add(session)
session.commit()
grant_permission(session.query(Group).filter_by(groupname="all-teams").scalar(), session.query(Permission).filter_by(name=TAG_EDIT).scalar(), "*")
grant_permission(session.query(Group).filter_by(groupname="all-teams").scalar(), session.query(Permission).filter_by(name="it.literally.does.not.matter").scalar(), "*")
tag = PublicKeyTag(name="tyler_was_here")
tag.add(session)
session.commit()
tag = PublicKeyTag.get(session, name="tyler_was_here")
user = session.query(User).filter_by(username="******").scalar()
grant_permission_to_tag(session, tag.id, perm.id, "prod")
user = session.query(User).filter_by(username="******").scalar()
add_public_key(session, user, key1)
key = session.query(PublicKey).filter_by(user_id=user.id).scalar()
user = session.query(User).filter_by(username="******").scalar()
add_tag_to_public_key(session, key, tag)
user = session.query(User).filter_by(username="******").scalar()
key = session.query(PublicKey).filter_by(user_id=user.id).scalar()
assert len(get_public_key_permissions(session, key)) == 1, "The SSH Key should have only 1 permission"
assert get_public_key_permissions(session, key)[0].name == TAG_EDIT, "The SSH key's permission should be TAG_EDIT"
assert get_public_key_permissions(session, key)[0].argument == "prod", "The SSH key's permission argument should be restricted to the tag's argument"
assert len(user_permissions(session, user)) > 1, "The user should have more than 1 permission"
graph.update_from_db(session)
fe_url = url(base_url, '/users/{}'.format(user.username))
resp = yield http_client.fetch(fe_url)
assert resp.code == 200
body = json.loads(resp.body)
pub_key = body['data']['user']['public_keys'][0]
assert len(pub_key['tags']) == 1, "The public key should only have 1 tag"
assert pub_key['tags'][0] == 'tyler_was_here', "The public key should have the tag we gave it"
def test_tags(session, http_client, base_url, graph):
perm = Permission(name=TAG_EDIT, description="Why is this not nullable?")
perm.add(session)
session.commit()
perm2 = Permission(name="it.literally.does.not.matter", description="Why is this not nullable?")
perm2.add(session)
session.commit()
grant_permission(session.query(Group).filter_by(groupname="all-teams").scalar(), session.query(Permission).filter_by(name=TAG_EDIT).scalar(), "*")
grant_permission(session.query(Group).filter_by(groupname="all-teams").scalar(), session.query(Permission).filter_by(name="it.literally.does.not.matter").scalar(), "*")
tag = PublicKeyTag(name="tyler_was_here")
tag.add(session)
session.commit()
tag = PublicKeyTag.get(session, name="tyler_was_here")
grant_permission_to_tag(session, tag.id, perm.id, "prod")
with pytest.raises(AssertionError):
grant_permission_to_tag(session, tag.id, perm.id, "question?")
user = session.query(User).filter_by(username="******").scalar()
add_public_key(session, user, SSH_KEY_1)
key = session.query(PublicKey).filter_by(user_id=user.id).scalar()
add_tag_to_public_key(session, key, tag)
user = session.query(User).filter_by(username="******").scalar()
key = session.query(PublicKey).filter_by(user_id=user.id).scalar()
assert len(get_public_key_permissions(session, key)) == 1, "The SSH Key should have only 1 permission"
assert get_public_key_permissions(session, key)[0].name == TAG_EDIT, "The SSH key's permission should be TAG_EDIT"
assert get_public_key_permissions(session, key)[0].argument == "prod", "The SSH key's permission argument should be restricted to the tag's argument"
assert len(user_permissions(session, user)) > 1, "The user should have more than 1 permission"
graph.update_from_db(session)
fe_url = url(base_url, '/users/{}'.format(user.username))
resp = yield http_client.fetch(fe_url)
assert resp.code == 200
body = json.loads(resp.body)
pub_key = body['data']['user']['public_keys'][0]
assert len(pub_key['tags']) == 1, "The public key should only have 1 tag"
assert pub_key['fingerprint'] == 'e9:ae:c5:8f:39:9b:3a:9c:6a:b8:33:6b:cb:6f:ba:35'
assert pub_key['fingerprint_sha256'] == 'MP9uWaujW96EWxbjDtPdPWheoMDu6BZ8FZj0+CBkVWU'
assert pub_key['tags'][0] == 'tyler_was_here', "The public key should have the tag we gave it"
def post(self, tag_id=None, name=None):
tag = PublicKeyTag.get(self.session, tag_id, name)
if not tag:
return self.notfound()
if not user_has_permission(self.session, self.current_user, TAG_EDIT, tag.name):
return self.forbidden()
form = TagEditForm(self.request.arguments, obj=tag)
if not form.validate():
return self.render(
"tag-edit.html", tag=tag, form=form,
alerts=self.get_form_alerts(form.errors)
)
tag.description = form.data["description"]
tag.enabled = form.data["enabled"]
Counter.incr(self.session, "updates")
try:
self.session.commit()
except IntegrityError:
self.session.rollback()
form.tagname.errors.append(
"{} already exists".format(form.data["tagname"])
)
return self.render(
"tag-edit.html", tag=tag, form=form,
alerts=self.get_form_alerts(form.errors)
)
AuditLog.log(self.session, self.current_user.id, 'edit_tag',
'Edited tag.', on_tag_id=tag.id)
return self.redirect("/tags/{}".format(tag.name))
def post(self, user_id=None, name=None, key_id=None, tag_id=None):
user = User.get(self.session, user_id, name)
if not user:
return self.notfound()
if not self.check_access(self.session, self.current_user, user):
return self.forbidden()
try:
key = get_public_key(self.session, user.id, key_id)
except KeyNotFound:
return self.notfound()
tag = PublicKeyTag.get(self.session, id=tag_id)
if not tag:
return self.notfound()
try:
remove_tag_from_public_key(self.session, key, tag)
except TagNotOnKey:
return self.redirect("/users/{}?refresh=yes".format(user.name))
AuditLog.log(
self.session,
self.current_user.id,
"untag_public_key",
"Untagged public key: {}".format(key.fingerprint_sha256),
on_tag_id=tag.id,
on_user_id=user.id,
)
return self.redirect("/users/{}?refresh=yes".format(user.name))
def post(self, user_id=None, name=None, key_id=None, tag_id=None):
user = User.get(self.session, user_id, name)
if not user:
return self.notfound()
if not self.check_access(self.session, self.current_user, user):
return self.forbidden()
try:
key = get_public_key(self.session, user.id, key_id)
except KeyNotFound:
return self.notfound()
tag = PublicKeyTag.get(self.session, id=tag_id)
if not tag:
return self.notfound()
try:
remove_tag_from_public_key(self.session, key, tag)
except TagNotOnKey:
return self.redirect("/users/{}?refresh=yes".format(user.name))
AuditLog.log(self.session, self.current_user.id, 'untag_public_key',
'Untagged public key: {}'.format(key.fingerprint),
on_tag_id=tag.id, on_user_id=user.id)
return self.redirect("/users/{}?refresh=yes".format(user.name))
def test_edit_tag(users, http_client, base_url, session): # noqa: F811
user = session.query(User).filter_by(username="******").scalar()
create_permission(session, TAG_EDIT)
session.commit()
grant_permission(
session.query(Group).filter_by(groupname="all-teams").scalar(),
get_permission(session, TAG_EDIT),
"*",
)
fe_url = url(base_url, "/tags")
resp = yield http_client.fetch(
fe_url,
method="POST",
body=urlencode({
"tagname": "tyler_was_here",
"description": "Test Tag Please Ignore"
}),
headers={"X-Grouper-User": user.username},
)
tag = PublicKeyTag.get(session, name="tyler_was_here")
assert (tag.description == "Test Tag Please Ignore"
), "The description should match what we created it with"
user = session.query(User).filter_by(username="******").scalar()
fe_url = url(base_url, "/tags/{}/edit".format(tag.id))
resp = yield http_client.fetch(
fe_url,
method="POST",
body=urlencode({"description": "Don't tag me bro"}),
headers={"X-Grouper-User": user.username},
)
assert resp.code == 200
tag = PublicKeyTag.get(session, name="tyler_was_here")
assert tag.description == "Don't tag me bro", "The description should have been updated"
def post(self, name=None):
tag = PublicKeyTag.get(self.session, None, name)
if not tag:
return self.notfound()
if not user_has_permission(self.session, self.current_user, TAG_EDIT,
tag.name):
return self.forbidden()
form = PermissionGrantTagForm(self.request.arguments)
form.permission.choices = [["", "(select one)"]]
for perm in get_all_permissions(self.session):
form.permission.choices.append(
[perm.name, "{} (*)".format(perm.name)])
if not form.validate():
return self.render(
"permission-grant-tag.html",
form=form,
tag=tag,
alerts=self.get_form_alerts(form.errors),
)
permission = get_permission(self.session, form.data["permission"])
if not permission:
return self.notfound() # Shouldn't happen.
success = grant_permission_to_tag(self.session,
tag.id,
permission.id,
argument=form.data["argument"])
if not success:
form.argument.errors.append(
"Permission and Argument already mapped to this tag.")
return self.render(
"permission-grant-tag.html",
form=form,
tag=tag,
alerts=self.get_form_alerts(form.errors),
)
AuditLog.log(
self.session,
self.current_user.id,
"grant_permission_tag",
"Granted permission with argument: {}".format(
form.data["argument"]),
on_permission_id=permission.id,
on_tag_id=tag.id,
)
return self.redirect("/tags/{}?refresh=yes".format(tag.name))
def post(self, user_id=None, name=None, key_id=None):
user = User.get(self.session, user_id, name)
if not user:
return self.notfound()
if not self.check_access(self.session, self.current_user, user):
return self.forbidden()
try:
key = get_public_key(self.session, user.id, key_id)
except KeyNotFound:
return self.notfound()
form = PublicKeyAddTagForm(self.request.arguments)
form.tagname.choices = []
for tag in self.session.query(PublicKeyTag).filter_by(
enabled=True).all():
form.tagname.choices.append([tag.name, tag.name])
if not form.validate():
return self.render("public-key-add-tag.html",
form=form,
user=user,
key=key,
alerts=self.get_form_alerts(form.errors))
tag = PublicKeyTag.get(self.session, name=form.data["tagname"])
if not tag:
form.tagname.errors.append("Unknown tag name {}".format(
form.data["tagname"]))
return self.render("public-key-add-tag.html",
form=form,
user=user,
key=key,
alerts=self.get_form_alerts(form.errors))
try:
add_tag_to_public_key(self.session, key, tag)
except DuplicateTag:
return self.render("public-key-add-tag.html",
form=form,
user=user,
key=key,
alerts=["This key already has that tag!"])
AuditLog.log(self.session,
self.current_user.id,
'tag_public_key',
'Tagged public key: {}'.format(key.fingerprint_sha256),
on_tag_id=tag.id,
on_user_id=user.id)
return self.redirect("/users/{}?refresh=yes".format(user.name))
def get(self, tag_id=None, name=None):
tag = PublicKeyTag.get(self.session, tag_id, name)
if not tag:
return self.notfound()
if not user_has_permission(self.session, self.current_user, TAG_EDIT, tag.name):
return self.forbidden()
form = TagEditForm(obj=tag)
self.render("tag-edit.html", tag=tag, form=form)
def get(self, tag_id=None, name=None):
tag = PublicKeyTag.get(self.session, tag_id, name)
if not tag:
return self.notfound()
if not user_has_permission(self.session, self.current_user, TAG_EDIT,
tag.name):
return self.forbidden()
form = TagEditForm(obj=tag)
self.render("tag-edit.html", tag=tag, form=form)
def test_grant_permission_to_tag(users, http_client, base_url, session):
user = session.query(User).filter_by(username="******").scalar()
perm = Permission(name=TAG_EDIT, description="Why is this not nullable?")
perm.add(session)
session.commit()
grant_permission(session.query(Group).filter_by(groupname="all-teams").scalar(), session.query(Permission).filter_by(name=TAG_EDIT).scalar(), "*")
fe_url = url(base_url, '/tags')
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'tagname': "tyler_was_here", "description": "Test Tag Please Ignore"}),
headers={'X-Grouper-User': user.username})
tag = PublicKeyTag.get(session, name="tyler_was_here")
user = session.query(User).filter_by(username="******").scalar()
fe_url = url(base_url, '/permissions/grant_tag/{}'.format(tag.name))
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'permission': TAG_EDIT, "argument": "*"}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
tag = PublicKeyTag.get(session, name="tyler_was_here")
perm = Permission.get(session, TAG_EDIT)
assert len(get_public_key_tag_permissions(session, tag)) == 1, "The tag should have exactly 1 permission"
assert get_public_key_tag_permissions(session, tag)[0].name == perm.name, "The tag's permission should be the one we added"
assert get_public_key_tag_permissions(session, tag)[0].argument == "*", "The tag's permission should be the one we added"
# Make sure trying to add a permission to a tag doesn't fail horribly if it's already there
user = session.query(User).filter_by(username="******").scalar()
fe_url = url(base_url, '/permissions/grant_tag/{}'.format(tag.name))
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'permission': TAG_EDIT, "argument": "*"}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
def test_revoke_permission_from_tag(users, http_client, base_url, session):
user = session.query(User).filter_by(username="******").scalar()
perm = Permission(name=TAG_EDIT, description="Why is this not nullable?")
perm.add(session)
session.commit()
grant_permission(session.query(Group).filter_by(groupname="all-teams").scalar(), session.query(Permission).filter_by(name=TAG_EDIT).scalar(), "*")
fe_url = url(base_url, '/tags')
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'tagname': "tyler_was_here", "description": "Test Tag Please Ignore"}),
headers={'X-Grouper-User': user.username})
tag = PublicKeyTag.get(session, name="tyler_was_here")
user = session.query(User).filter_by(username="******").scalar()
fe_url = url(base_url, '/permissions/grant_tag/{}'.format(tag.name))
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'permission': TAG_EDIT, "argument": "*"}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
tag = PublicKeyTag.get(session, name="tyler_was_here")
perm = Permission.get(session, TAG_EDIT)
assert len(get_public_key_tag_permissions(session, tag)) == 1, "The tag should have exactly 1 permission"
user = session.query(User).filter_by(username="******").scalar()
mapping = get_public_key_tag_permissions(session, tag)[0]
fe_url = url(base_url, '/permissions/{}/revoke_tag/{}'.format(TAG_EDIT, mapping.mapping_id))
resp = yield http_client.fetch(fe_url, method="POST",
body="",
headers={'X-Grouper-User': user.username})
assert resp.code == 200
tag = PublicKeyTag.get(session, name="tyler_was_here")
assert len(get_public_key_tag_permissions(session, tag)) == 0, "The tag should have no permissions"
def test_edit_tag(users, http_client, base_url, session):
user = session.query(User).filter_by(username="******").scalar()
perm = Permission(name=TAG_EDIT, description="Why is this not nullable?")
perm.add(session)
session.commit()
grant_permission(
session.query(Group).filter_by(groupname="all-teams").scalar(),
session.query(Permission).filter_by(name=TAG_EDIT).scalar(), "*")
fe_url = url(base_url, '/tags')
resp = yield http_client.fetch(fe_url,
method="POST",
body=urlencode({
'tagname':
"tyler_was_here",
"description":
"Test Tag Please Ignore"
}),
headers={'X-Grouper-User': user.username})
tag = PublicKeyTag.get(session, name="tyler_was_here")
assert tag.description == "Test Tag Please Ignore", "The description should match what we created it with"
user = session.query(User).filter_by(username="******").scalar()
fe_url = url(base_url, '/tags/{}/edit'.format(tag.id))
resp = yield http_client.fetch(fe_url,
method="POST",
body=urlencode(
{"description": "Don't tag me bro"}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
tag = PublicKeyTag.get(session, name="tyler_was_here")
assert tag.description == "Don't tag me bro", "The description should have been updated"
def test_create_tag(users, http_client, base_url, session):
user = session.query(User).filter_by(username="******").scalar()
fe_url = url(base_url, '/tags')
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'tagname': "tyler_was_here", "description": "Test Tag Please Ignore"}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
tag = PublicKeyTag.get(session, name="tyler_was_here")
assert tag is not None, "The tag should be created"
assert tag.name == "tyler_was_here", "The tag's name should be tyler_was_here"
def test_permissions(users, http_client, base_url, session):
user = session.query(User).filter_by(username="******").scalar()
perm = Permission(name=TAG_EDIT, description="Why is this not nullable?")
perm.add(session)
session.commit()
perm = Permission(name="it.literally.does.not.matter", description="Why is this not nullable?")
perm.add(session)
session.commit()
grant_permission(session.query(Group).filter_by(groupname="all-teams").scalar(), session.query(Permission).filter_by(name=TAG_EDIT).scalar(), "*")
grant_permission(session.query(Group).filter_by(groupname="all-teams").scalar(), session.query(Permission).filter_by(name="it.literally.does.not.matter").scalar(), "*")
fe_url = url(base_url, '/tags')
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'tagname': "tyler_was_here", "description": "Test Tag Please Ignore"}),
headers={'X-Grouper-User': user.username})
tag = PublicKeyTag.get(session, name="tyler_was_here")
user = session.query(User).filter_by(username="******").scalar()
fe_url = url(base_url, '/permissions/grant_tag/{}'.format(tag.name))
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'permission': TAG_EDIT, "argument": "prod"}),
headers={'X-Grouper-User': user.username})
user = session.query(User).filter_by(username="******").scalar()
# add SSH key
fe_url = url(base_url, '/users/{}/public-key/add'.format(user.username))
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'public_key': key_1}),
headers={'X-Grouper-User': user.username})
key = session.query(PublicKey).filter_by(user_id=user.id).scalar()
user = session.query(User).filter_by(username="******").scalar()
fe_url = url(base_url, '/users/{}/public-key/{}/tag'.format(user.username, key.id))
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'tagname': "tyler_was_here"}),
headers={'X-Grouper-User': user.username})
user = session.query(User).filter_by(username="******").scalar()
key = session.query(PublicKey).filter_by(user_id=user.id).scalar()
assert len(get_public_key_permissions(session, key)) == 1, "The SSH Key should have only 1 permission"
assert get_public_key_permissions(session, key)[0].name == TAG_EDIT, "The SSH key's permission should be TAG_EDIT"
assert get_public_key_permissions(session, key)[0].argument == "prod", "The SSH key's permission argument should be restricted to the tag's argument"
assert len(user_permissions(session, user)) > 1, "The user should have more than 1 permission"
def get(self, tag_id=None, name=None):
self.handle_refresh()
tag = PublicKeyTag.get(self.session, tag_id, name)
if not tag:
return self.notfound()
permissions = get_public_key_tag_permissions(self.session, tag)
log_entries = tag.my_log_entries()
is_owner = user_has_permission(self.session, self.current_user, TAG_EDIT, tag.name)
can_grant = self.session.query(Permission).all() if is_owner else []
self.render(
"tag.html", tag=tag, permissions=permissions, can_grant=can_grant,
log_entries=log_entries, is_owner=is_owner,
)
def get(self, tag_id=None, name=None):
self.handle_refresh()
tag = PublicKeyTag.get(self.session, tag_id, name)
if not tag:
return self.notfound()
permissions = get_public_key_tag_permissions(self.session, tag)
log_entries = tag.my_log_entries()
is_owner = user_has_permission(self.session, self.current_user, TAG_EDIT, tag.name)
can_grant = self.session.query(Permission).all() if is_owner else []
self.render(
"tag.html", tag=tag, permissions=permissions, can_grant=can_grant,
log_entries=log_entries, is_owner=is_owner,
)
def test_create_tag(users, http_client, base_url, session): # noqa: F811
user = session.query(User).filter_by(username="******").scalar()
fe_url = url(base_url, "/tags")
resp = yield http_client.fetch(
fe_url,
method="POST",
body=urlencode({"tagname": "tyler_was_here", "description": "Test Tag Please Ignore"}),
headers={"X-Grouper-User": user.username},
)
assert resp.code == 200
tag = PublicKeyTag.get(session, name="tyler_was_here")
assert tag is not None, "The tag should be created"
assert tag.name == "tyler_was_here", "The tag's name should be tyler_was_here"
def post(self, user_id=None, name=None, key_id=None):
user = User.get(self.session, user_id, name)
if not user:
return self.notfound()
if not self.check_access(self.session, self.current_user, user):
return self.forbidden()
try:
key = get_public_key(self.session, user.id, key_id)
except KeyNotFound:
return self.notfound()
form = PublicKeyAddTagForm(self.request.arguments)
form.tagname.choices = []
for tag in self.session.query(PublicKeyTag).filter_by(enabled=True).all():
form.tagname.choices.append([tag.name, tag.name])
if not form.validate():
return self.render(
"public-key-add-tag.html", form=form, user=user, key=key,
alerts=self.get_form_alerts(form.errors)
)
tag = PublicKeyTag.get(self.session, name=form.data["tagname"])
if not tag:
form.tagname.errors.append("Unknown tag name {}".format(form.data["tagname"]))
return self.render(
"public-key-add-tag.html", form=form, user=user, key=key,
alerts=self.get_form_alerts(form.errors)
)
try:
add_tag_to_public_key(self.session, key, tag)
except DuplicateTag:
return self.render(
"public-key-add-tag.html", form=form, user=user, key=key,
alerts=["This key already has that tag!"]
)
AuditLog.log(self.session, self.current_user.id, 'tag_public_key',
'Tagged public key: {}'.format(key.fingerprint_sha256),
on_tag_id=tag.id, on_user_id=user.id)
return self.redirect("/users/{}?refresh=yes".format(user.name))
def get(self, name=None):
tag = PublicKeyTag.get(self.session, None, name)
if not tag:
return self.notfound()
if not user_has_permission(self.session, self.current_user, TAG_EDIT, tag.name):
return self.forbidden()
form = PermissionGrantTagForm()
form.permission.choices = [["", "(select one)"]]
for perm in self.session.query(Permission).all():
form.permission.choices.append([perm.name, "{} (*)".format(perm.name)])
return self.render(
"permission-grant-tag.html", form=form, tag=tag,
)
def get(self, name=None):
tag = PublicKeyTag.get(self.session, None, name)
if not tag:
return self.notfound()
if not user_has_permission(self.session, self.current_user, TAG_EDIT,
tag.name):
return self.forbidden()
form = PermissionGrantTagForm()
form.permission.choices = [["", "(select one)"]]
for perm in get_all_permissions(self.session):
form.permission.choices.append(
[perm.name, "{} (*)".format(perm.name)])
return self.render("permission-grant-tag.html", form=form, tag=tag)
def post(self, name=None):
tag = PublicKeyTag.get(self.session, None, name)
if not tag:
return self.notfound()
if not user_has_permission(self.session, self.current_user, TAG_EDIT, tag.name):
return self.forbidden()
form = PermissionGrantTagForm(self.request.arguments)
form.permission.choices = [["", "(select one)"]]
for perm in self.session.query(Permission).all():
form.permission.choices.append([perm.name, "{} (*)".format(perm.name)])
if not form.validate():
return self.render(
"permission-grant-tag.html", form=form, tag=tag,
alerts=self.get_form_alerts(form.errors)
)
permission = Permission.get(self.session, form.data["permission"])
if not permission:
return self.notfound() # Shouldn't happen.
success = grant_permission_to_tag(self.session, tag.id, permission.id,
argument=form.data["argument"])
if not success:
form.argument.errors.append(
"Permission and Argument already mapped to this tag."
)
return self.render(
"permission-grant-tag.html", form=form, tag=tag,
alerts=self.get_form_alerts(form.errors),
)
AuditLog.log(self.session, self.current_user.id, 'grant_permission_tag',
'Granted permission with argument: {}'.format(form.data["argument"]),
on_permission_id=permission.id, on_tag_id=tag.id)
return self.redirect("/tags/{}?refresh=yes".format(tag.name))
def post(self, tag_id=None, name=None):
tag = PublicKeyTag.get(self.session, tag_id, name)
if not tag:
return self.notfound()
if not user_has_permission(self.session, self.current_user, TAG_EDIT,
tag.name):
return self.forbidden()
form = TagEditForm(self.request.arguments, obj=tag)
if not form.validate():
return self.render("tag-edit.html",
tag=tag,
form=form,
alerts=self.get_form_alerts(form.errors))
tag.description = form.data["description"]
tag.enabled = form.data["enabled"]
Counter.incr(self.session, "updates")
try:
self.session.commit()
except IntegrityError:
self.session.rollback()
form.tagname.errors.append("{} already exists".format(
form.data["tagname"]))
return self.render("tag-edit.html",
tag=tag,
form=form,
alerts=self.get_form_alerts(form.errors))
AuditLog.log(self.session,
self.current_user.id,
"edit_tag",
"Edited tag.",
on_tag_id=tag.id)
return self.redirect("/tags/{}".format(tag.name))
def test_permissions(users, http_client, base_url, session):
user = session.query(User).filter_by(username="******").scalar()
perm = Permission(name=TAG_EDIT, description="Why is this not nullable?")
perm.add(session)
session.commit()
perm = Permission(name="it.literally.does.not.matter",
description="Why is this not nullable?")
perm.add(session)
session.commit()
grant_permission(
session.query(Group).filter_by(groupname="all-teams").scalar(),
session.query(Permission).filter_by(name=TAG_EDIT).scalar(), "*")
grant_permission(
session.query(Group).filter_by(groupname="all-teams").scalar(),
session.query(Permission).filter_by(
name="it.literally.does.not.matter").scalar(), "*")
fe_url = url(base_url, '/tags')
resp = yield http_client.fetch(fe_url,
method="POST",
body=urlencode({
'tagname':
"tyler_was_here",
"description":
"Test Tag Please Ignore"
}),
headers={'X-Grouper-User': user.username})
tag = PublicKeyTag.get(session, name="tyler_was_here")
user = session.query(User).filter_by(username="******").scalar()
fe_url = url(base_url, '/permissions/grant_tag/{}'.format(tag.name))
resp = yield http_client.fetch(fe_url,
method="POST",
body=urlencode({
'permission': TAG_EDIT,
"argument": "prod"
}),
headers={'X-Grouper-User': user.username})
user = session.query(User).filter_by(username="******").scalar()
# add SSH key
fe_url = url(base_url, '/users/{}/public-key/add'.format(user.username))
resp = yield http_client.fetch(fe_url,
method="POST",
body=urlencode({'public_key': key_1}),
headers={'X-Grouper-User': user.username})
key = session.query(PublicKey).filter_by(user_id=user.id).scalar()
user = session.query(User).filter_by(username="******").scalar()
fe_url = url(base_url,
'/users/{}/public-key/{}/tag'.format(user.username, key.id))
resp = yield http_client.fetch(fe_url,
method="POST",
body=urlencode(
{'tagname': "tyler_was_here"}),
headers={'X-Grouper-User': user.username})
user = session.query(User).filter_by(username="******").scalar()
key = session.query(PublicKey).filter_by(user_id=user.id).scalar()
assert len(get_public_key_permissions(
session, key)) == 1, "The SSH Key should have only 1 permission"
assert get_public_key_permissions(
session,
key)[0].name == TAG_EDIT, "The SSH key's permission should be TAG_EDIT"
assert get_public_key_permissions(
session, key
)[0].argument == "prod", "The SSH key's permission argument should be restricted to the tag's argument"
assert len(user_permissions(
session, user)) > 1, "The user should have more than 1 permission"
def test_grant_permission_to_tag(users, http_client, base_url, session):
user = session.query(User).filter_by(username="******").scalar()
perm = Permission(name=TAG_EDIT, description="Why is this not nullable?")
perm.add(session)
session.commit()
grant_permission(
session.query(Group).filter_by(groupname="all-teams").scalar(),
session.query(Permission).filter_by(name=TAG_EDIT).scalar(), "*")
fe_url = url(base_url, '/tags')
resp = yield http_client.fetch(fe_url,
method="POST",
body=urlencode({
'tagname':
"tyler_was_here",
"description":
"Test Tag Please Ignore"
}),
headers={'X-Grouper-User': user.username})
tag = PublicKeyTag.get(session, name="tyler_was_here")
user = session.query(User).filter_by(username="******").scalar()
fe_url = url(base_url, '/permissions/grant_tag/{}'.format(tag.name))
resp = yield http_client.fetch(fe_url,
method="POST",
body=urlencode({
'permission': TAG_EDIT,
"argument": "*"
}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
tag = PublicKeyTag.get(session, name="tyler_was_here")
perm = Permission.get(session, TAG_EDIT)
assert len(get_public_key_tag_permissions(
session, tag)) == 1, "The tag should have exactly 1 permission"
assert get_public_key_tag_permissions(
session, tag
)[0].name == perm.name, "The tag's permission should be the one we added"
assert get_public_key_tag_permissions(
session, tag
)[0].argument == "*", "The tag's permission should be the one we added"
# Make sure trying to add a permission to a tag doesn't fail horribly if it's already there
user = session.query(User).filter_by(username="******").scalar()
fe_url = url(base_url, '/permissions/grant_tag/{}'.format(tag.name))
resp = yield http_client.fetch(fe_url,
method="POST",
body=urlencode({
'permission': TAG_EDIT,
"argument": "*"
}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
def test_remove_tag(users, http_client, base_url, session): # noqa: F811
user = session.query(User).filter_by(username="******").scalar()
# add SSH key
fe_url = url(base_url, "/users/{}/public-key/add".format(user.username))
resp = yield http_client.fetch(
fe_url,
method="POST",
body=urlencode({"public_key": SSH_KEY_1}),
headers={"X-Grouper-User": user.username},
)
assert resp.code == 200
key = session.query(PublicKey).filter_by(user_id=user.id).scalar()
# add SSH key
fe_url = url(base_url, "/users/{}/public-key/add".format(user.username))
resp = yield http_client.fetch(
fe_url,
method="POST",
body=urlencode({"public_key": SSH_KEY_2}),
headers={"X-Grouper-User": user.username},
)
assert resp.code == 200
key2 = session.query(PublicKey).filter_by(public_key=SSH_KEY_2).scalar()
fe_url = url(base_url, "/tags")
resp = yield http_client.fetch(
fe_url,
method="POST",
body=urlencode({"tagname": "tyler_was_here", "description": "Test Tag Please Ignore"}),
headers={"X-Grouper-User": user.username},
)
tag = PublicKeyTag.get(session, name="tyler_was_here")
key = session.query(PublicKey).filter_by(public_key=SSH_KEY_1).scalar()
assert (
get_public_key_tags(session, key) == []
), "No public keys should have a tag unless it's been added to the key"
fe_url = url(base_url, "/tags")
resp = yield http_client.fetch(
fe_url,
method="POST",
body=urlencode({"tagname": "dont_tag_me_bro", "description": "Test Tag Please Ignore"}),
headers={"X-Grouper-User": user.username},
)
PublicKeyTag.get(session, name="dont_tag_me_bro")
key = session.query(PublicKey).filter_by(public_key=SSH_KEY_1).scalar()
assert (
get_public_key_tags(session, key) == []
), "No public keys should have a tag unless it's been added to the key"
fe_url = url(base_url, "/users/{}/public-key/{}/tag".format(user.username, key.id))
resp = yield http_client.fetch(
fe_url,
method="POST",
body=urlencode({"tagname": "tyler_was_here"}),
headers={"X-Grouper-User": user.username},
)
assert resp.code == 200
key = session.query(PublicKey).filter_by(public_key=SSH_KEY_1).scalar()
assert len(get_public_key_tags(session, key)) == 1, "The key should have exactly 1 tag"
assert get_public_key_tags(session, key)[0].name == "tyler_was_here"
key2 = session.query(PublicKey).filter_by(public_key=SSH_KEY_2).scalar()
assert (
len(get_public_key_tags(session, key2)) == 0
), "Keys other than the one with the added tag should not gain tags"
fe_url = url(base_url, "/users/{}/public-key/{}/tag".format(user.username, key2.id))
resp = yield http_client.fetch(
fe_url,
method="POST",
body=urlencode({"tagname": "tyler_was_here"}),
headers={"X-Grouper-User": user.username},
)
key = session.query(PublicKey).filter_by(public_key=SSH_KEY_1).scalar()
# Fail Remove tag
tag = PublicKeyTag.get(session, name="dont_tag_me_bro")
fe_url = url(
base_url, "/users/{}/public-key/{}/delete_tag/{}".format(user.username, key.id, tag.id)
)
with pytest.raises(HTTPError):
resp = yield http_client.fetch(
fe_url, method="POST", body="", headers={"X-Grouper-User": "******"}
)
# Remove tag that isn't on key: should fail silently
tag = PublicKeyTag.get(session, name="dont_tag_me_bro")
fe_url = url(
base_url, "/users/{}/public-key/{}/delete_tag/{}".format(user.username, key.id, tag.id)
)
resp = yield http_client.fetch(
fe_url, method="POST", body="", headers={"X-Grouper-User": user.username}
)
assert resp.code == 200
# Remove tag
tag = PublicKeyTag.get(session, name="tyler_was_here")
fe_url = url(
base_url, "/users/{}/public-key/{}/delete_tag/{}".format(user.username, key.id, tag.id)
)
resp = yield http_client.fetch(
fe_url, method="POST", body="", headers={"X-Grouper-User": user.username}
)
assert resp.code == 200
key = session.query(PublicKey).filter_by(public_key=SSH_KEY_1).scalar()
assert len(get_public_key_tags(session, key)) == 0, "The key should have exactly 0 tags"
key2 = session.query(PublicKey).filter_by(public_key=SSH_KEY_2).scalar()
assert (
len(get_public_key_tags(session, key2)) == 1
), "Removing a tag from one key should not affect other keys"
# User admin remove tag
# readd tag
fe_url = url(base_url, "/users/{}/public-key/{}/tag".format(user.username, key.id))
resp = yield http_client.fetch(
fe_url,
method="POST",
body=urlencode({"tagname": "tyler_was_here"}),
headers={"X-Grouper-User": user.username},
)
assert resp.code == 200
key = session.query(PublicKey).filter_by(public_key=SSH_KEY_1).scalar()
assert len(get_public_key_tags(session, key)) == 1, "The key should have exactly 1 tag"
assert get_public_key_tags(session, key)[0].name == "tyler_was_here"
# Nonuser admin fail Remove tag
tag = PublicKeyTag.get(session, name="tyler_was_here")
fe_url = url(
base_url, "/users/{}/public-key/{}/delete_tag/{}".format(user.username, key.id, tag.id)
)
with pytest.raises(HTTPError):
resp = yield http_client.fetch(
fe_url, method="POST", body="", headers={"X-Grouper-User": "******"}
)
key = session.query(PublicKey).filter_by(public_key=SSH_KEY_1).scalar()
assert len(get_public_key_tags(session, key)) == 1, "The key should have exactly 1 tags"
# Remove tag
tag = PublicKeyTag.get(session, name="tyler_was_here")
fe_url = url(
base_url, "/users/{}/public-key/{}/delete_tag/{}".format(user.username, key.id, tag.id)
)
resp = yield http_client.fetch(
fe_url, method="POST", body="", headers={"X-Grouper-User": "******"}
)
assert resp.code == 200
key = session.query(PublicKey).filter_by(public_key=SSH_KEY_1).scalar()
assert len(get_public_key_tags(session, key)) == 0, "The key should have exactly 0 tags"
def test_permissions(users, http_client, base_url, session): # noqa: F811
user = session.query(User).filter_by(username="******").scalar()
create_permission(session, TAG_EDIT)
session.commit()
create_permission(session, "it.literally.does.not.matter")
session.commit()
grant_permission(
session.query(Group).filter_by(groupname="all-teams").scalar(),
get_permission(session, TAG_EDIT),
"*",
)
grant_permission(
session.query(Group).filter_by(groupname="all-teams").scalar(),
get_permission(session, "it.literally.does.not.matter"),
"*",
)
fe_url = url(base_url, "/tags")
yield http_client.fetch(
fe_url,
method="POST",
body=urlencode({"tagname": "tyler_was_here", "description": "Test Tag Please Ignore"}),
headers={"X-Grouper-User": user.username},
)
tag = PublicKeyTag.get(session, name="tyler_was_here")
user = session.query(User).filter_by(username="******").scalar()
fe_url = url(base_url, "/permissions/grant_tag/{}".format(tag.name))
yield http_client.fetch(
fe_url,
method="POST",
body=urlencode({"permission": TAG_EDIT, "argument": "prod"}),
headers={"X-Grouper-User": user.username},
)
user = session.query(User).filter_by(username="******").scalar()
# add SSH key
fe_url = url(base_url, "/users/{}/public-key/add".format(user.username))
yield http_client.fetch(
fe_url,
method="POST",
body=urlencode({"public_key": SSH_KEY_1}),
headers={"X-Grouper-User": user.username},
)
key = session.query(PublicKey).filter_by(user_id=user.id).scalar()
user = session.query(User).filter_by(username="******").scalar()
fe_url = url(base_url, "/users/{}/public-key/{}/tag".format(user.username, key.id))
yield http_client.fetch(
fe_url,
method="POST",
body=urlencode({"tagname": "tyler_was_here"}),
headers={"X-Grouper-User": user.username},
)
user = session.query(User).filter_by(username="******").scalar()
key = session.query(PublicKey).filter_by(user_id=user.id).scalar()
assert (
len(get_public_key_permissions(session, key)) == 1
), "The SSH Key should have only 1 permission"
assert (
get_public_key_permissions(session, key)[0].name == TAG_EDIT
), "The SSH key's permission should be TAG_EDIT"
assert (
get_public_key_permissions(session, key)[0].argument == "prod"
), "The SSH key's permission argument should be restricted to the tag's argument"
assert len(user_permissions(session, user)) > 1, "The user should have more than 1 permission"
def test_tags(session, http_client, base_url, graph):
perm = Permission(name=TAG_EDIT, description="Why is this not nullable?")
perm.add(session)
session.commit()
perm2 = Permission(name="it.literally.does.not.matter",
description="Why is this not nullable?")
perm2.add(session)
session.commit()
grant_permission(
session.query(Group).filter_by(groupname="all-teams").scalar(),
session.query(Permission).filter_by(name=TAG_EDIT).scalar(), "*")
grant_permission(
session.query(Group).filter_by(groupname="all-teams").scalar(),
session.query(Permission).filter_by(
name="it.literally.does.not.matter").scalar(), "*")
tag = PublicKeyTag(name="tyler_was_here")
tag.add(session)
session.commit()
tag = PublicKeyTag.get(session, name="tyler_was_here")
grant_permission_to_tag(session, tag.id, perm.id, "prod")
with pytest.raises(AssertionError):
grant_permission_to_tag(session, tag.id, perm.id, "question?")
user = session.query(User).filter_by(username="******").scalar()
add_public_key(session, user, SSH_KEY_1)
key = session.query(PublicKey).filter_by(user_id=user.id).scalar()
add_tag_to_public_key(session, key, tag)
user = session.query(User).filter_by(username="******").scalar()
key = session.query(PublicKey).filter_by(user_id=user.id).scalar()
assert len(get_public_key_permissions(
session, key)) == 1, "The SSH Key should have only 1 permission"
assert get_public_key_permissions(
session,
key)[0].name == TAG_EDIT, "The SSH key's permission should be TAG_EDIT"
assert get_public_key_permissions(
session, key
)[0].argument == "prod", "The SSH key's permission argument should be restricted to the tag's argument"
assert len(user_permissions(
session, user)) > 1, "The user should have more than 1 permission"
graph.update_from_db(session)
fe_url = url(base_url, '/users/{}'.format(user.username))
resp = yield http_client.fetch(fe_url)
assert resp.code == 200
body = json.loads(resp.body)
pub_key = body['data']['user']['public_keys'][0]
assert len(pub_key['tags']) == 1, "The public key should only have 1 tag"
assert pub_key[
'fingerprint'] == 'e9:ae:c5:8f:39:9b:3a:9c:6a:b8:33:6b:cb:6f:ba:35'
assert pub_key[
'fingerprint_sha256'] == 'MP9uWaujW96EWxbjDtPdPWheoMDu6BZ8FZj0+CBkVWU'
assert pub_key['tags'][
0] == 'tyler_was_here', "The public key should have the tag we gave it"
def test_add_tag(users, http_client, base_url, session): # noqa: F811
user = session.query(User).filter_by(username="******").scalar()
# add SSH key
fe_url = url(base_url, "/users/{}/public-key/add".format(user.username))
resp = yield http_client.fetch(
fe_url,
method="POST",
body=urlencode({"public_key": SSH_KEY_1}),
headers={"X-Grouper-User": user.username},
)
assert resp.code == 200
key = session.query(PublicKey).filter_by(user_id=user.id).scalar()
# add SSH key
fe_url = url(base_url, "/users/{}/public-key/add".format(user.username))
resp = yield http_client.fetch(
fe_url,
method="POST",
body=urlencode({"public_key": SSH_KEY_2}),
headers={"X-Grouper-User": user.username},
)
assert resp.code == 200
key2 = session.query(PublicKey).filter_by(public_key=SSH_KEY_2).scalar()
fe_url = url(base_url, "/tags")
resp = yield http_client.fetch(
fe_url,
method="POST",
body=urlencode({"tagname": "tyler_was_here", "description": "Test Tag Please Ignore"}),
headers={"X-Grouper-User": user.username},
)
PublicKeyTag.get(session, name="tyler_was_here")
key = session.query(PublicKey).filter_by(public_key=SSH_KEY_1).scalar()
assert (
get_public_key_tags(session, key) == []
), "No public keys should have a tag unless it's been added to the key"
fe_url = url(base_url, "/tags")
resp = yield http_client.fetch(
fe_url,
method="POST",
body=urlencode({"tagname": "dont_tag_me_bro", "description": "Test Tag Please Ignore"}),
headers={"X-Grouper-User": user.username},
)
PublicKeyTag.get(session, name="dont_tag_me_bro")
key = session.query(PublicKey).filter_by(public_key=SSH_KEY_1).scalar()
assert (
get_public_key_tags(session, key) == []
), "No public keys should have a tag unless it's been added to the key"
fe_url = url(base_url, "/users/{}/public-key/{}/tag".format(user.username, key.id))
resp = yield http_client.fetch(
fe_url,
method="POST",
body=urlencode({"tagname": "tyler_was_here"}),
headers={"X-Grouper-User": user.username},
)
assert resp.code == 200
key = session.query(PublicKey).filter_by(public_key=SSH_KEY_1).scalar()
assert len(get_public_key_tags(session, key)) == 1, "The key should have exactly 1 tag"
assert get_public_key_tags(session, key)[0].name == "tyler_was_here"
key2 = session.query(PublicKey).filter_by(public_key=SSH_KEY_2).scalar()
assert (
len(get_public_key_tags(session, key2)) == 0
), "Keys other than the one with the added tag should not gain tags"
# Non-admin and not user adding tag should fail
fe_url = url(base_url, "/users/{}/public-key/{}/tag".format(user.username, key.id))
with pytest.raises(HTTPError):
resp = yield http_client.fetch(
fe_url,
method="POST",
body=urlencode({"tagname": "tyler_was_here"}),
headers={"X-Grouper-User": "******"},
)
key = session.query(PublicKey).filter_by(public_key=SSH_KEY_1).scalar()
assert len(get_public_key_tags(session, key)) == 1, "The key should have exactly 1 tag"
assert get_public_key_tags(session, key)[0].name == "tyler_was_here"
# User admins test
fe_url = url(base_url, "/users/{}/public-key/{}/tag".format(user.username, key.id))
resp = yield http_client.fetch(
fe_url,
method="POST",
body=urlencode({"tagname": "dont_tag_me_bro"}),
headers={"X-Grouper-User": "******"},
)
assert resp.code == 200
key = session.query(PublicKey).filter_by(public_key=SSH_KEY_1).scalar()
assert len(get_public_key_tags(session, key)) == 2, "The key should have 2 tags now"
assert set([x.name for x in get_public_key_tags(session, key)]) == set(
["tyler_was_here", "dont_tag_me_bro"]
)
def test_add_tag(users, http_client, base_url, session):
user = session.query(User).filter_by(username="******").scalar()
# add SSH key
fe_url = url(base_url, '/users/{}/public-key/add'.format(user.username))
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'public_key': key_1}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
key = session.query(PublicKey).filter_by(user_id=user.id).scalar()
# add SSH key
fe_url = url(base_url, '/users/{}/public-key/add'.format(user.username))
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'public_key': key_2}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
key2 = session.query(PublicKey).filter_by(public_key=key_2).scalar()
fe_url = url(base_url, '/tags')
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'tagname': "tyler_was_here", "description": "Test Tag Please Ignore"}),
headers={'X-Grouper-User': user.username})
tag = PublicKeyTag.get(session, name="tyler_was_here")
key = session.query(PublicKey).filter_by(public_key=key_1).scalar()
assert get_public_key_tags(session, key) == [], "No public keys should have a tag unless it's been added to the key"
fe_url = url(base_url, '/tags')
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'tagname': "dont_tag_me_bro", "description": "Test Tag Please Ignore"}),
headers={'X-Grouper-User': user.username})
tag = PublicKeyTag.get(session, name="dont_tag_me_bro")
key = session.query(PublicKey).filter_by(public_key=key_1).scalar()
assert get_public_key_tags(session, key) == [], "No public keys should have a tag unless it's been added to the key"
fe_url = url(base_url, '/users/{}/public-key/{}/tag'.format(user.username, key.id))
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'tagname': "tyler_was_here"}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
key = session.query(PublicKey).filter_by(public_key=key_1).scalar()
assert len(get_public_key_tags(session, key)) == 1, "The key should have exactly 1 tag"
assert get_public_key_tags(session, key)[0].name == "tyler_was_here"
key2 = session.query(PublicKey).filter_by(public_key=key_2).scalar()
assert len(get_public_key_tags(session, key2)) == 0, "Keys other than the one with the added tag should not gain tags"
# Non-admin and not user adding tag should fail
fe_url = url(base_url, '/users/{}/public-key/{}/tag'.format(user.username, key.id))
with pytest.raises(HTTPError):
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'tagname': "tyler_was_here"}),
headers={'X-Grouper-User': "******"})
key = session.query(PublicKey).filter_by(public_key=key_1).scalar()
assert len(get_public_key_tags(session, key)) == 1, "The key should have exactly 1 tag"
assert get_public_key_tags(session, key)[0].name == "tyler_was_here"
# User admins test
fe_url = url(base_url, '/users/{}/public-key/{}/tag'.format(user.username, key.id))
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'tagname': "dont_tag_me_bro"}),
headers={'X-Grouper-User': "******"})
assert resp.code == 200
key = session.query(PublicKey).filter_by(public_key=key_1).scalar()
assert len(get_public_key_tags(session, key)) == 2, "The key should have 2 tags now"
assert set([x.name for x in get_public_key_tags(session, key)]) == set(["tyler_was_here",
"dont_tag_me_bro"])
def test_tags(session, http_client, base_url, graph): # noqa: F811
perm = create_permission(session, TAG_EDIT)
session.commit()
create_permission(session, "it.literally.does.not.matter")
session.commit()
grant_permission(
session.query(Group).filter_by(groupname="all-teams").scalar(),
get_permission(session, TAG_EDIT),
"*",
)
grant_permission(
session.query(Group).filter_by(groupname="all-teams").scalar(),
get_permission(session, "it.literally.does.not.matter"),
"*",
)
tag = PublicKeyTag(name="tyler_was_here")
tag.add(session)
session.commit()
tag = PublicKeyTag.get(session, name="tyler_was_here")
grant_permission_to_tag(session, tag.id, perm.id, "prod")
with pytest.raises(AssertionError):
grant_permission_to_tag(session, tag.id, perm.id, "question?")
user = session.query(User).filter_by(username="******").scalar()
add_public_key(session, user, SSH_KEY_1)
key = session.query(PublicKey).filter_by(user_id=user.id).scalar()
add_tag_to_public_key(session, key, tag)
user = session.query(User).filter_by(username="******").scalar()
key = session.query(PublicKey).filter_by(user_id=user.id).scalar()
assert (
len(get_public_key_permissions(session, key)) == 1
), "The SSH Key should have only 1 permission"
assert (
get_public_key_permissions(session, key)[0].name == TAG_EDIT
), "The SSH key's permission should be TAG_EDIT"
assert (
get_public_key_permissions(session, key)[0].argument == "prod"
), "The SSH key's permission argument should be restricted to the tag's argument"
assert len(user_permissions(session, user)) > 1, "The user should have more than 1 permission"
graph.update_from_db(session)
fe_url = url(base_url, "/users/{}".format(user.username))
resp = yield http_client.fetch(fe_url)
assert resp.code == 200
body = json.loads(resp.body)
pub_key = body["data"]["user"]["public_keys"][0]
assert len(pub_key["tags"]) == 1, "The public key should only have 1 tag"
assert pub_key["fingerprint"] == "e9:ae:c5:8f:39:9b:3a:9c:6a:b8:33:6b:cb:6f:ba:35"
assert pub_key["fingerprint_sha256"] == "MP9uWaujW96EWxbjDtPdPWheoMDu6BZ8FZj0+CBkVWU"
assert pub_key["tags"][0] == "tyler_was_here", "The public key should have the tag we gave it"
def test_remove_tag(users, http_client, base_url, session):
user = session.query(User).filter_by(username="******").scalar()
# add SSH key
fe_url = url(base_url, '/users/{}/public-key/add'.format(user.username))
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'public_key': key_1}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
key = session.query(PublicKey).filter_by(user_id=user.id).scalar()
# add SSH key
fe_url = url(base_url, '/users/{}/public-key/add'.format(user.username))
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'public_key': key_2}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
key2 = session.query(PublicKey).filter_by(public_key=key_2).scalar()
fe_url = url(base_url, '/tags')
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'tagname': "tyler_was_here", "description": "Test Tag Please Ignore"}),
headers={'X-Grouper-User': user.username})
tag = PublicKeyTag.get(session, name="tyler_was_here")
key = session.query(PublicKey).filter_by(public_key=key_1).scalar()
assert get_public_key_tags(session, key) == [], "No public keys should have a tag unless it's been added to the key"
fe_url = url(base_url, '/tags')
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'tagname': "dont_tag_me_bro", "description": "Test Tag Please Ignore"}),
headers={'X-Grouper-User': user.username})
tag2 = PublicKeyTag.get(session, name="dont_tag_me_bro")
key = session.query(PublicKey).filter_by(public_key=key_1).scalar()
assert get_public_key_tags(session, key) == [], "No public keys should have a tag unless it's been added to the key"
fe_url = url(base_url, '/users/{}/public-key/{}/tag'.format(user.username, key.id))
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'tagname': "tyler_was_here"}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
key = session.query(PublicKey).filter_by(public_key=key_1).scalar()
assert len(get_public_key_tags(session, key)) == 1, "The key should have exactly 1 tag"
assert get_public_key_tags(session, key)[0].name == "tyler_was_here"
key2 = session.query(PublicKey).filter_by(public_key=key_2).scalar()
assert len(get_public_key_tags(session, key2)) == 0, "Keys other than the one with the added tag should not gain tags"
fe_url = url(base_url, '/users/{}/public-key/{}/tag'.format(user.username, key2.id))
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'tagname': "tyler_was_here"}),
headers={'X-Grouper-User': user.username})
key = session.query(PublicKey).filter_by(public_key=key_1).scalar()
# Fail Remove tag
tag = PublicKeyTag.get(session, name="dont_tag_me_bro")
fe_url = url(base_url, '/users/{}/public-key/{}/delete_tag/{}'.format(user.username, key.id, tag.id))
with pytest.raises(HTTPError):
resp = yield http_client.fetch(fe_url, method="POST",
body="",
headers={'X-Grouper-User': "******"})
# Remove tag that isn't on key: should fail silently
tag = PublicKeyTag.get(session, name="dont_tag_me_bro")
fe_url = url(base_url, '/users/{}/public-key/{}/delete_tag/{}'.format(user.username, key.id, tag.id))
resp = yield http_client.fetch(fe_url, method="POST",
body="",
headers={'X-Grouper-User': user.username})
assert resp.code == 200
# Remove tag
tag = PublicKeyTag.get(session, name="tyler_was_here")
fe_url = url(base_url, '/users/{}/public-key/{}/delete_tag/{}'.format(user.username, key.id, tag.id))
resp = yield http_client.fetch(fe_url, method="POST",
body="",
headers={'X-Grouper-User': user.username})
assert resp.code == 200
key = session.query(PublicKey).filter_by(public_key=key_1).scalar()
assert len(get_public_key_tags(session, key)) == 0, "The key should have exactly 0 tags"
key2 = session.query(PublicKey).filter_by(public_key=key_2).scalar()
assert len(get_public_key_tags(session, key2)) == 1, "Removing a tag from one key should not affect other keys"
# User admin remove tag
# readd tag
fe_url = url(base_url, '/users/{}/public-key/{}/tag'.format(user.username, key.id))
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'tagname': "tyler_was_here"}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
key = session.query(PublicKey).filter_by(public_key=key_1).scalar()
assert len(get_public_key_tags(session, key)) == 1, "The key should have exactly 1 tag"
assert get_public_key_tags(session, key)[0].name == "tyler_was_here"
# Nonuser admin fail Remove tag
tag = PublicKeyTag.get(session, name="tyler_was_here")
fe_url = url(base_url, '/users/{}/public-key/{}/delete_tag/{}'.format(user.username, key.id, tag.id))
with pytest.raises(HTTPError):
resp = yield http_client.fetch(fe_url, method="POST",
body="",
headers={'X-Grouper-User': "******"})
key = session.query(PublicKey).filter_by(public_key=key_1).scalar()
assert len(get_public_key_tags(session, key)) == 1, "The key should have exactly 1 tags"
# Remove tag
tag = PublicKeyTag.get(session, name="tyler_was_here")
fe_url = url(base_url, '/users/{}/public-key/{}/delete_tag/{}'.format(user.username, key.id, tag.id))
resp = yield http_client.fetch(fe_url, method="POST",
body="",
headers={'X-Grouper-User': "******"})
assert resp.code == 200
key = session.query(PublicKey).filter_by(public_key=key_1).scalar()
assert len(get_public_key_tags(session, key)) == 0, "The key should have exactly 0 tags"
