def user_admin_perm_to_auditors(session, groups): # noqa: F811 """Adds a USER_ADMIN permission to the "auditors" group""" user_admin_perm, is_new = get_or_create_permission( session, USER_ADMIN, description="grouper.admin.users permission") session.commit() grant_permission(groups["auditors"], user_admin_perm)
def user_enable_perm_to_sre(session, groups): # noqa: F811 """Adds the (USER_ENABLE, *) permission to the group `team-sre` """ user_enable_perm, is_new = get_or_create_permission( session, USER_ENABLE, description="grouper.user.enable perm") session.commit() grant_permission(groups["team-sre"], user_enable_perm, argument="*")
def user_enable_perm_to_sre(session, groups): # noqa: F811 """Adds the (USER_ENABLE, *) permission to the group `team-sre` """ user_enable_perm, is_new = get_or_create_permission( session, USER_ENABLE, description="grouper.user.enable perm" ) session.commit() grant_permission(groups["team-sre"], user_enable_perm, argument="*")
def user_admin_perm_to_auditors(session, groups): # noqa: F811 """Adds a USER_ADMIN permission to the "auditors" group""" user_admin_perm, is_new = get_or_create_permission( session, USER_ADMIN, description="grouper.admin.users permission" ) session.commit() grant_permission(groups["auditors"], user_admin_perm)
def do_request_perms(groups, permissions, session, users): # noqa: F811 # Create the two test perms + PERMISSION_GRANT + PERMISSION_ADMIN, give GRANTING_TEAM # appropriate PERMISSION_GRANT, and make sure there's an admin (has PERMISSION_ADMIN) test_perm_granter = get_or_create_permission( session, PERM_WITH_GRANTER, description="perm with granter" )[0] test_perm_nogranter = get_or_create_permission( session, PERM_NO_GRANTER, description="perm without granter" )[0] grant_perm = get_or_create_permission(session, PERMISSION_GRANT)[0] admin_perm = get_or_create_permission(session, PERMISSION_ADMIN)[0] session.commit() grant_permission( groups[GRANTING_TEAM], grant_perm, argument="{}/{}".format(PERM_WITH_GRANTER, ARGUMENT) ) grant_permission(groups[ADMIN_TEAM], admin_perm, argument="") # Request the two test perms from REQUESTING_TEAM create_request( session, users[REQUESTING_USER], groups[REQUESTING_TEAM], test_perm_granter, ARGUMENT, REASON, ) create_request( session, users[REQUESTING_USER], groups[REQUESTING_TEAM], test_perm_nogranter, ARGUMENT, REASON, ) # Finally make one more request from a user other than REQUESTING_USER create_request( session, users[GRANTING_USER], groups[GRANTING_TEAM], admin_perm, ARGUMENT, REASON ) session.commit()
def do_request_perms(groups, permissions, session, users): # noqa: F811 # Create the two test perms + PERMISSION_GRANT + PERMISSION_ADMIN, give GRANTING_TEAM # appropriate PERMISSION_GRANT, and make sure there's an admin (has PERMISSION_ADMIN) test_perm_granter = get_or_create_permission( session, PERM_WITH_GRANTER, description="perm with granter")[0] test_perm_nogranter = get_or_create_permission( session, PERM_NO_GRANTER, description="perm without granter")[0] grant_perm = get_or_create_permission(session, PERMISSION_GRANT)[0] admin_perm = get_or_create_permission(session, PERMISSION_ADMIN)[0] session.commit() grant_permission(groups[GRANTING_TEAM], grant_perm, argument="{}/{}".format(PERM_WITH_GRANTER, ARGUMENT)) grant_permission(groups[ADMIN_TEAM], admin_perm, argument="") # Request the two test perms from REQUESTING_TEAM create_request( session, users[REQUESTING_USER], groups[REQUESTING_TEAM], test_perm_granter, ARGUMENT, REASON, ) create_request( session, users[REQUESTING_USER], groups[REQUESTING_TEAM], test_perm_nogranter, ARGUMENT, REASON, ) # Finally make one more request from a user other than REQUESTING_USER create_request(session, users[GRANTING_USER], groups[GRANTING_TEAM], admin_perm, ARGUMENT, REASON) session.commit()
def test_list_public_keys(async_server, browser, session, users, groups): # noqa: F811 permission = get_or_create_permission(session, AUDIT_SECURITY)[0] user = users["*****@*****.**"] group = groups["group-admins"] add_member(group, user, role="owner") grant_permission(group, permission, "public_keys") # Pagination defaults to 100 keys per page for i in range(120): key = PublicKey( user=user, public_key="KEY:{}".format(i), fingerprint="MD5:{}".format(i), fingerprint_sha256="SHA256:{}".format(i), key_size=4096, key_type="ssh-rsa", comment="", ) key.add(session) session.commit() fe_url = url(async_server, "/users/public-keys") browser.get(fe_url) page = PublicKeysPage(browser) row = page.find_public_key_row("SHA256:0") assert row.user == user.username assert row.key_size == "4096" assert row.key_type == "ssh-rsa" assert page.find_public_key_row("SHA256:99") with pytest.raises(NoSuchElementException): page.find_public_key_row("SHA256:100")
def test_auditor_promotion(mock_nnp, mock_gagn, session, graph, permissions, users): # noqa: F811 """Test automatic promotion of non-auditor approvers We set up our own group/user/permission for testing instead of using the `standard_graph` fixture---retrofitting it to work for us and also not break existing tests is too cumbersome. So here are our groups: very-special-auditors: * user14 group-1: * user11 (o) * user12 * user13 (np-o) * user14 (o, a) group-2: * user13 (np-o) * user21 (o) * user22 group-3: * user22 (o) * user12 (o) group-4: * user21 (np-o) * user41 * user42 (o) * user43 (np-o) o: owner, np-o: no-permission owner, a: auditor group-1 and group-2 have the permission that we will enable auditing. group-4 will be a subgroup of group-1 and thus will inherit the audited permission from group-1. The expected outcome is: user11, user13, user21, user42, and user43 will be added to the auditors group. """ settings = BackgroundSettings() set_global_settings(settings) # # set up our test part of the graph # # create groups AUDITED_GROUP = "audited" AUDITORS_GROUP = mock_gagn.return_value = "very-special-auditors" PERMISSION_NAME = "test-permission" all_groups = { groupname: Group.get_or_create(session, groupname=groupname)[0] for groupname in ("group-1", "group-2", "group-3", "group-4", AUDITORS_GROUP) } # create users users.update( { username + "@a.co": User.get_or_create(session, username=username + "@a.co")[0] for username in ( "user11", "user12", "user13", "user14", "user21", "user22", "user23", "user41", "user42", "user43", ) } ) # create permissions permissions.update( { permission: get_or_create_permission( session, permission, description="{} permission".format(permission) )[0] for permission in [PERMISSION_NAME] } ) # add users to groups for (groupname, username, role) in ( ("group-1", "user11", "owner"), ("group-1", "user12", "member"), ("group-1", "user13", "np-owner"), ("group-1", "user14", "owner"), ("group-2", "user13", "np-owner"), ("group-2", "user21", "owner"), ("group-2", "user22", "member"), ("group-3", "user12", "owner"), ("group-3", "user22", "owner"), ("group-4", "user21", "np-owner"), ("group-4", "user41", "member"), ("group-4", "user42", "owner"), ("group-4", "user43", "np-owner"), ): add_member(all_groups[groupname], users[username + "@a.co"], role=role) # add group-4 as member of group-1 add_member(all_groups["group-1"], all_groups["group-4"]) # add user14 to auditors group add_member(all_groups[AUDITORS_GROUP], users["*****@*****.**"]) # grant permissions to groups # # give the test permission to groups 1 and 2, and group 4 should # also inherit from group 1 grant_permission(all_groups["group-1"], permissions[PERMISSION_NAME]) grant_permission(all_groups["group-2"], permissions[PERMISSION_NAME]) grant_permission(all_groups[AUDITORS_GROUP], permissions[PERMISSION_AUDITOR]) graph.update_from_db(session) # done setting up # now a few pre-op checks assert not graph.get_group_details("group-1").get(AUDITED_GROUP) assert not graph.get_group_details("group-4").get(AUDITED_GROUP) assert get_users(graph, AUDITORS_GROUP) == set(["*****@*****.**"]) assert get_users(graph, "group-3") == set(["*****@*****.**", "*****@*****.**"]) # # run the promotion logic -> nothing should happen because the # test-permission is not yet audited # background = BackgroundProcessor(settings, None) background.promote_nonauditors(session) graph.update_from_db(session) # nothing should have happened assert not graph.get_group_details("group-1").get(AUDITED_GROUP) assert not graph.get_group_details("group-4").get(AUDITED_GROUP) assert get_users(graph, AUDITORS_GROUP) == set(["*****@*****.**"]) assert mock_nnp.call_count == 0 # # now enable auditing for the permission and run the promotion # logic again # enable_permission_auditing(session, PERMISSION_NAME, users["*****@*****.**"].id) graph.update_from_db(session) assert graph.get_group_details("group-1").get(AUDITED_GROUP) assert graph.get_group_details("group-4").get(AUDITED_GROUP) background = BackgroundProcessor(settings, None) background.promote_nonauditors(session) graph.update_from_db(session) # check that stuff happened assert get_users(graph, AUDITORS_GROUP) == set( ["*****@*****.**", "*****@*****.**", "*****@*****.**", "*****@*****.**", "*****@*****.**", "*****@*****.**"] ) expected_calls = [ call( settings, session, users["*****@*****.**"], all_groups[AUDITORS_GROUP], set(["group-1"]) ), call( settings, session, users["*****@*****.**"], all_groups[AUDITORS_GROUP], set(["group-1", "group-2"]), ), call( settings, session, users["*****@*****.**"], all_groups[AUDITORS_GROUP], set(["group-2", "group-4"]), ), call( settings, session, users["*****@*****.**"], all_groups[AUDITORS_GROUP], set(["group-4"]) ), call( settings, session, users["*****@*****.**"], all_groups[AUDITORS_GROUP], set(["group-4"]) ), ] assert mock_nnp.call_count == len(expected_calls) mock_nnp.assert_has_calls(expected_calls, any_order=True) # # run the background promotion logic again, and nothing should # happen # mock_nnp.reset_mock() background = BackgroundProcessor(settings, None) background.promote_nonauditors(session) assert mock_nnp.call_count == 0
def test_auditor_promotion(mock_nnp, mock_gagn, session, graph, permissions, users): # noqa: F811 """Test automatic promotion of non-auditor approvers We set up our own group/user/permission for testing instead of using the `standard_graph` fixture---retrofitting it to work for us and also not break existing tests is too cumbersome. So here are our groups: very-special-auditors: * user14 group-1: * user11 (o) * user12 * user13 (np-o) * user14 (o, a) group-2: * user13 (np-o) * user21 (o) * user22 group-3: * user22 (o) * user12 (o) group-4: * user21 (np-o) * user41 * user42 (o) * user43 (np-o) o: owner, np-o: no-permission owner, a: auditor group-1 and group-2 have the permission that we will enable auditing. group-4 will be a subgroup of group-1 and thus will inherit the audited permission from group-1. The expected outcome is: user11, user13, user21, user42, and user43 will be added to the auditors group. """ settings = BackgroundSettings() set_global_settings(settings) # # set up our test part of the graph # # create groups AUDITED_GROUP = "audited" AUDITORS_GROUP = mock_gagn.return_value = "very-special-auditors" PERMISSION_NAME = "test-permission" all_groups = { groupname: Group.get_or_create(session, groupname=groupname)[0] for groupname in ("group-1", "group-2", "group-3", "group-4", AUDITORS_GROUP) } # create users users.update({ username + "@a.co": User.get_or_create(session, username=username + "@a.co")[0] for username in ( "user11", "user12", "user13", "user14", "user21", "user22", "user23", "user41", "user42", "user43", ) }) # create permissions permissions.update({ permission: get_or_create_permission( session, permission, description="{} permission".format(permission))[0] for permission in [PERMISSION_NAME] }) # add users to groups for (groupname, username, role) in ( ("group-1", "user11", "owner"), ("group-1", "user12", "member"), ("group-1", "user13", "np-owner"), ("group-1", "user14", "owner"), ("group-2", "user13", "np-owner"), ("group-2", "user21", "owner"), ("group-2", "user22", "member"), ("group-3", "user12", "owner"), ("group-3", "user22", "owner"), ("group-4", "user21", "np-owner"), ("group-4", "user41", "member"), ("group-4", "user42", "owner"), ("group-4", "user43", "np-owner"), ): add_member(all_groups[groupname], users[username + "@a.co"], role=role) # add group-4 as member of group-1 add_member(all_groups["group-1"], all_groups["group-4"]) # add user14 to auditors group add_member(all_groups[AUDITORS_GROUP], users["*****@*****.**"]) # grant permissions to groups # # give the test permission to groups 1 and 2, and group 4 should # also inherit from group 1 grant_permission(all_groups["group-1"], permissions[PERMISSION_NAME]) grant_permission(all_groups["group-2"], permissions[PERMISSION_NAME]) grant_permission(all_groups[AUDITORS_GROUP], permissions[PERMISSION_AUDITOR]) graph.update_from_db(session) # done setting up # now a few pre-op checks assert not graph.get_group_details("group-1").get(AUDITED_GROUP) assert not graph.get_group_details("group-4").get(AUDITED_GROUP) assert get_users(graph, AUDITORS_GROUP) == set(["*****@*****.**"]) assert get_users(graph, "group-3") == set(["*****@*****.**", "*****@*****.**"]) # # run the promotion logic -> nothing should happen because the # test-permission is not yet audited # background = BackgroundProcessor(settings, None) background.promote_nonauditors(session) graph.update_from_db(session) # nothing should have happened assert not graph.get_group_details("group-1").get(AUDITED_GROUP) assert not graph.get_group_details("group-4").get(AUDITED_GROUP) assert get_users(graph, AUDITORS_GROUP) == set(["*****@*****.**"]) assert mock_nnp.call_count == 0 # # now enable auditing for the permission and run the promotion # logic again # enable_permission_auditing(session, PERMISSION_NAME, users["*****@*****.**"].id) graph.update_from_db(session) assert graph.get_group_details("group-1").get(AUDITED_GROUP) assert graph.get_group_details("group-4").get(AUDITED_GROUP) background = BackgroundProcessor(settings, None) background.promote_nonauditors(session) graph.update_from_db(session) # check that stuff happened assert get_users(graph, AUDITORS_GROUP) == set([ "*****@*****.**", "*****@*****.**", "*****@*****.**", "*****@*****.**", "*****@*****.**", "*****@*****.**" ]) expected_calls = [ call(settings, session, users["*****@*****.**"], all_groups[AUDITORS_GROUP], set(["group-1"])), call( settings, session, users["*****@*****.**"], all_groups[AUDITORS_GROUP], set(["group-1", "group-2"]), ), call( settings, session, users["*****@*****.**"], all_groups[AUDITORS_GROUP], set(["group-2", "group-4"]), ), call(settings, session, users["*****@*****.**"], all_groups[AUDITORS_GROUP], set(["group-4"])), call(settings, session, users["*****@*****.**"], all_groups[AUDITORS_GROUP], set(["group-4"])), ] assert mock_nnp.call_count == len(expected_calls) mock_nnp.assert_has_calls(expected_calls, any_order=True) # # run the background promotion logic again, and nothing should # happen # mock_nnp.reset_mock() background = BackgroundProcessor(settings, None) background.promote_nonauditors(session) assert mock_nnp.call_count == 0
def test_reject_disabling_system_permissions(perm_name, session, permissions): # noqa: F811 get_or_create_permission(session, perm_name) with pytest.raises(CannotDisableASystemPermission) as exc: disable_permission(session, perm_name, 0) assert exc.value.name == perm_name