def test_sa_pubkeys(session, users, http_client, base_url): user = users['*****@*****.**'] # Add account create_role_user(session, user, '*****@*****.**', 'Hi', 'canjoin') u = User.get(session, name="*****@*****.**") g = Group.get(session, name="*****@*****.**") assert u is not None assert g is not None assert is_role_user(session, user=u) assert is_role_user(session, group=g) assert get_role_user(session, user=u).group.id == g.id assert get_role_user(session, group=g).user.id == u.id assert not is_role_user(session, user=user) assert not is_role_user(session, group=Group.get(session, name="team-sre")) assert not get_public_keys_of_user(session, user.id) with pytest.raises(HTTPError): # add it fe_url = url(base_url, '/users/{}/public-key/add'.format("*****@*****.**")) resp = yield http_client.fetch(fe_url, method="POST", body=urlencode({'public_key': SSH_KEY_1}), headers={'X-Grouper-User': "******"}) # add it fe_url = url(base_url, '/users/{}/public-key/add'.format("*****@*****.**")) resp = yield http_client.fetch(fe_url, method="POST", body=urlencode({'public_key': SSH_KEY_1}), headers={'X-Grouper-User': user.username}) assert resp.code == 200 # add bad key -- shouldn't add fe_url = url(base_url, '/users/{}/public-key/add'.format("*****@*****.**")) resp = yield http_client.fetch(fe_url, method="POST", body=urlencode({'public_key': SSH_KEY_BAD}), headers={'X-Grouper-User': user.username}) assert resp.code == 200 sa = User.get(session, name="*****@*****.**") keys = get_public_keys_of_user(session, sa.id) assert len(keys) == 1 assert keys[0].public_key == SSH_KEY_1 with pytest.raises(HTTPError): # delete it fe_url = url(base_url, '/users/{}/public-key/{}/delete'.format("*****@*****.**", keys[0].id)) resp = yield http_client.fetch(fe_url, method="POST", body='', headers={'X-Grouper-User': "******"}) # delete it fe_url = url(base_url, '/users/{}/public-key/{}/delete'.format("*****@*****.**", keys[0].id)) resp = yield http_client.fetch(fe_url, method="POST", body='', headers={'X-Grouper-User': user.username}) assert resp.code == 200 sa = User.get(session, name="*****@*****.**") assert not get_public_keys_of_user(session, sa.id)
def post(self): if "@" not in self.request.arguments["name"][0]: self.request.arguments["name"][0] += "@" + settings.service_account_email_domain form = RoleUserCreateForm(self.request.arguments) if not form.validate(): return self.render( "role-user-create.html", form=form, alerts=self.get_form_alerts(form.errors) ) if form.data["name"].split("@")[-1] != settings.service_account_email_domain: form.name.errors.append("All service accounts must have a username ending in {}" .format(settings.service_account_email_domain)) return self.render( "role-user-create.html", form=form, alerts=self.get_form_alerts(form.errors) ) try: create_role_user(self.session, self.current_user, form.data["name"], form.data["description"], form.data["canjoin"]) except IntegrityError: self.session.rollback() form.name.errors.append("A user or group with name {} already exists" .format(form.data["name"])) return self.render( "role-user-create.html", form=form, alerts=self.get_form_alerts(form.errors) ) return self.redirect("/service/{}?refresh=yes".format(form.data["name"]))
def test_sa_tokens(session, users, http_client, base_url): user = users['*****@*****.**'] # Add account create_role_user(session, user, '*****@*****.**', 'Hi', 'canjoin') u = User.get(session, name="*****@*****.**") g = Group.get(session, name="*****@*****.**") assert u is not None assert g is not None assert is_role_user(session, user=u) assert is_role_user(session, group=g) assert get_role_user(session, user=u).group.id == g.id assert get_role_user(session, group=g).user.id == u.id assert not is_role_user(session, user=user) assert not is_role_user(session, group=Group.get(session, name="team-sre")) with pytest.raises(HTTPError): # Add token fe_url = url(base_url, '/users/{}/tokens/add'.format("*****@*****.**")) resp = yield http_client.fetch(fe_url, method="POST", body=urlencode({'name': 'myDHDToken'}), headers={'X-Grouper-User': "******"}) # Add token fe_url = url(base_url, '/users/{}/tokens/add'.format("*****@*****.**")) resp = yield http_client.fetch(fe_url, method="POST", body=urlencode({'name': 'myDHDToken'}), headers={'X-Grouper-User': user.username}) assert resp.code == 200 # Verify add fe_url = url(base_url, '/users/{}'.format("*****@*****.**")) resp = yield http_client.fetch(fe_url, method="GET", headers={'X-Grouper-User': user.username}) assert resp.code == 200 assert "Added token: myDHDToken" in resp.body with pytest.raises(HTTPError): # Disable token fe_url = url(base_url, '/users/{}/tokens/1/disable'.format("*****@*****.**")) resp = yield http_client.fetch(fe_url, method="POST", body="", headers={'X-Grouper-User': "******"}) # Disable token fe_url = url(base_url, '/users/{}/tokens/1/disable'.format("*****@*****.**")) resp = yield http_client.fetch(fe_url, method="POST", body="", headers={'X-Grouper-User': user.username}) assert resp.code == 200 # Verify disable fe_url = url(base_url, '/users/{}'.format("*****@*****.**")) resp = yield http_client.fetch(fe_url, method="GET", headers={'X-Grouper-User': user.username}) assert resp.code == 200 assert "Disabled token: myDHDToken" in resp.body
def test_user_created_plugin(mocker, session, users, groups): # noqa: F811 """Test calls to the user_created plugin.""" plugin = UserCreatedPlugin() mocker.patch("grouper.models.user.get_plugin_proxy", return_value=PluginProxy([plugin])) # Create a regular user. The service account flag should be false, and the plugin should be # called. user, created = User.get_or_create(session, username="******") assert created == True assert plugin.calls == 1 # Create a role user. This should cause another plugin call and the service account flag # should now be true. plugin.expected_service_account = True create_role_user(session, user, "*****@*****.**", "description", "canask") assert plugin.calls == 2
def test_user_created_plugin(session, users, groups): """Test calls to the user_created plugin.""" plugin = UserCreatedPlugin() grouper.plugin.Plugins = [plugin] # Create a regular user. The service account flag should be false, and the plugin should be # called. user, created = User.get_or_create(session, username="******") assert created == True assert plugin.calls == 1 # Create a role user. This should cause another plugin call and the service account flag # should now be true. plugin.expected_service_account = True create_role_user(session, user, "*****@*****.**", "description", "canask") assert plugin.calls == 2
def test_add_role_user(session, users, http_client, base_url): user = users['*****@*****.**'] # Add account create_role_user(session, user, '*****@*****.**', 'Hi', 'canjoin') u = User.get(session, name="*****@*****.**") g = Group.get(session, name="*****@*****.**") assert u is not None assert g is not None assert is_role_user(session, user=u) assert is_role_user(session, group=g) assert get_role_user(session, user=u).group.id == g.id assert get_role_user(session, group=g).user.id == u.id assert not is_role_user(session, user=user) assert not is_role_user(session, group=Group.get(session, name="team-sre"))
def test_add_role_user(session, users, http_client, base_url): # noqa: F811 user = users["*****@*****.**"] # Add account create_role_user(session, user, "*****@*****.**", "Hi", "canjoin") u = User.get(session, name="*****@*****.**") g = Group.get(session, name="*****@*****.**") assert u is not None assert g is not None assert is_role_user(session, user=u) assert is_role_user(session, group=g) assert get_role_user(session, user=u).group.id == g.id assert get_role_user(session, group=g).user.id == u.id assert not is_role_user(session, user=user) assert not is_role_user(session, group=Group.get(session, name="team-sre"))
def test_remove_last_owner_of_service_account(async_server, browser, session, users): # noqa: F811 create_role_user(session, users["*****@*****.**"], "*****@*****.**", "things", "canask") fe_url = url(async_server, "/service/[email protected]") browser.get(fe_url) page = RoleUserViewPage(browser) row = page.find_member_row("*****@*****.**") row.click_remove_button() modal = page.get_remove_user_modal() modal.confirm() assert page.current_url.endswith("/service/[email protected]") assert page.has_text(group_ownership_policy.EXCEPTION_MESSAGE)
def test_disable_role_user(session, users, http_client, base_url): user = users['*****@*****.**'] # Add account create_role_user(session, user, '*****@*****.**', 'Hi', 'canjoin') u = User.get(session, name="*****@*****.**") g = Group.get(session, name="*****@*****.**") assert u is not None assert g is not None assert is_role_user(session, user=u) assert is_role_user(session, group=g) assert get_role_user(session, user=u).group.id == g.id assert get_role_user(session, group=g).user.id == u.id assert not is_role_user(session, user=user) assert not is_role_user(session, group=Group.get(session, name="team-sre")) disable_role_user(session, user=u) u = User.get(session, name="*****@*****.**") assert not u.enabled, "The SA User should be disabled" g = Group.get(session, name="*****@*****.**") assert not g.enabled, "The SA Group should be disabled" enable_role_user(session, actor=user, group=g, preserve_membership=True) u = User.get(session, name="*****@*****.**") assert u.enabled, "The SA User should be enabled" g = Group.get(session, name="*****@*****.**") assert g.enabled, "The SA Group should be enabled" with pytest.raises(HTTPError): fe_url = url(base_url, '/groups/{}/disable'.format("*****@*****.**")) resp = yield http_client.fetch( fe_url, method="POST", body="", headers={'X-Grouper-User': user.username}) u = User.get(session, name="*****@*****.**") assert u.enabled, "Attempting to disable SAs through groups/disable should not work" g = Group.get(session, name="*****@*****.**") assert g.enabled, "Attempting to disable SAs through groups/disable should not work" fe_url = url(base_url, '/users/{}/disable'.format("*****@*****.**")) resp = yield http_client.fetch(fe_url, method="POST", body="", headers={'X-Grouper-User': user.username}) u = User.get(session, name="*****@*****.**") assert not u.enabled, "The SA User should be disabled" g = Group.get(session, name="*****@*****.**") assert not g.enabled, "The SA Group should be disabled" with pytest.raises(HTTPError): fe_url = url(base_url, '/groups/{}/enable'.format("*****@*****.**")) resp = yield http_client.fetch( fe_url, method="POST", body="", headers={'X-Grouper-User': user.username}) u = User.get(session, name="*****@*****.**") assert not u.enabled, "Attempting to enable SAs through groups/enable should not work" g = Group.get(session, name="*****@*****.**") assert not g.enabled, "Attempting to enable SAs through groups/enable should not work"
def test_sa_pubkeys(session, users, http_client, base_url): user = users['*****@*****.**'] # Add account create_role_user(session, user, '*****@*****.**', 'Hi', 'canjoin') u = User.get(session, name="*****@*****.**") g = Group.get(session, name="*****@*****.**") assert u is not None assert g is not None assert is_role_user(session, user=u) assert is_role_user(session, group=g) assert get_role_user(session, user=u).group.id == g.id assert get_role_user(session, group=g).user.id == u.id assert not is_role_user(session, user=user) assert not is_role_user(session, group=Group.get(session, name="team-sre")) assert not get_public_keys_of_user(session, user.id) with pytest.raises(HTTPError): # add it fe_url = url(base_url, '/users/{}/public-key/add'.format("*****@*****.**")) resp = yield http_client.fetch(fe_url, method="POST", body=urlencode( {'public_key': SSH_KEY_1}), headers={'X-Grouper-User': "******"}) # add it fe_url = url(base_url, '/users/{}/public-key/add'.format("*****@*****.**")) resp = yield http_client.fetch(fe_url, method="POST", body=urlencode({'public_key': SSH_KEY_1}), headers={'X-Grouper-User': user.username}) assert resp.code == 200 # add bad key -- shouldn't add fe_url = url(base_url, '/users/{}/public-key/add'.format("*****@*****.**")) resp = yield http_client.fetch(fe_url, method="POST", body=urlencode({'public_key': SSH_KEY_BAD}), headers={'X-Grouper-User': user.username}) assert resp.code == 200 sa = User.get(session, name="*****@*****.**") keys = get_public_keys_of_user(session, sa.id) assert len(keys) == 1 assert keys[0].public_key == SSH_KEY_1 with pytest.raises(HTTPError): # delete it fe_url = url( base_url, '/users/{}/public-key/{}/delete'.format("*****@*****.**", keys[0].id)) resp = yield http_client.fetch(fe_url, method="POST", body='', headers={'X-Grouper-User': "******"}) # delete it fe_url = url( base_url, '/users/{}/public-key/{}/delete'.format("*****@*****.**", keys[0].id)) resp = yield http_client.fetch(fe_url, method="POST", body='', headers={'X-Grouper-User': user.username}) assert resp.code == 200 sa = User.get(session, name="*****@*****.**") assert not get_public_keys_of_user(session, sa.id)
def test_disable_role_user(session, users, http_client, base_url): # noqa: F811 user = users["*****@*****.**"] # Add account create_role_user(session, user, "*****@*****.**", "Hi", "canjoin") u = User.get(session, name="*****@*****.**") g = Group.get(session, name="*****@*****.**") assert u is not None assert g is not None assert is_role_user(session, user=u) assert is_role_user(session, group=g) assert get_role_user(session, user=u).group.id == g.id assert get_role_user(session, group=g).user.id == u.id assert not is_role_user(session, user=user) assert not is_role_user(session, group=Group.get(session, name="team-sre")) disable_role_user(session, user=u) u = User.get(session, name="*****@*****.**") assert not u.enabled, "The SA User should be disabled" g = Group.get(session, name="*****@*****.**") assert not g.enabled, "The SA Group should be disabled" enable_role_user(session, actor=user, group=g, preserve_membership=True) u = User.get(session, name="*****@*****.**") assert u.enabled, "The SA User should be enabled" g = Group.get(session, name="*****@*****.**") assert g.enabled, "The SA Group should be enabled" with pytest.raises(HTTPError): fe_url = url(base_url, "/groups/{}/disable".format("*****@*****.**")) yield http_client.fetch( fe_url, method="POST", body="", headers={"X-Grouper-User": user.username} ) u = User.get(session, name="*****@*****.**") assert u.enabled, "Attempting to disable SAs through groups/disable should not work" g = Group.get(session, name="*****@*****.**") assert g.enabled, "Attempting to disable SAs through groups/disable should not work" fe_url = url(base_url, "/users/{}/disable".format("*****@*****.**")) yield http_client.fetch( fe_url, method="POST", body="", headers={"X-Grouper-User": user.username} ) u = User.get(session, name="*****@*****.**") assert not u.enabled, "The SA User should be disabled" g = Group.get(session, name="*****@*****.**") assert not g.enabled, "The SA Group should be disabled" with pytest.raises(HTTPError): fe_url = url(base_url, "/groups/{}/enable".format("*****@*****.**")) yield http_client.fetch( fe_url, method="POST", body="", headers={"X-Grouper-User": user.username} ) u = User.get(session, name="*****@*****.**") assert not u.enabled, "Attempting to enable SAs through groups/enable should not work" g = Group.get(session, name="*****@*****.**") assert not g.enabled, "Attempting to enable SAs through groups/enable should not work"
def test_sa_tokens(session, users, http_client, base_url): # noqa: F811 user = users["*****@*****.**"] # Add account create_role_user(session, user, "*****@*****.**", "Hi", "canjoin") u = User.get(session, name="*****@*****.**") g = Group.get(session, name="*****@*****.**") assert u is not None assert g is not None assert is_role_user(session, user=u) assert is_role_user(session, group=g) assert get_role_user(session, user=u).group.id == g.id assert get_role_user(session, group=g).user.id == u.id assert not is_role_user(session, user=user) assert not is_role_user(session, group=Group.get(session, name="team-sre")) with pytest.raises(HTTPError): # Add token fe_url = url(base_url, "/users/{}/tokens/add".format("*****@*****.**")) resp = yield http_client.fetch( fe_url, method="POST", body=urlencode({"name": "myDHDToken"}), headers={"X-Grouper-User": "******"}, ) # Add token fe_url = url(base_url, "/users/{}/tokens/add".format("*****@*****.**")) resp = yield http_client.fetch( fe_url, method="POST", body=urlencode({"name": "myDHDToken"}), headers={"X-Grouper-User": user.username}, ) assert resp.code == 200 # Verify add fe_url = url(base_url, "/users/{}".format("*****@*****.**")) resp = yield http_client.fetch(fe_url, method="GET", headers={"X-Grouper-User": user.username}) assert resp.code == 200 assert b"Added token: myDHDToken" in resp.body with pytest.raises(HTTPError): # Disable token fe_url = url(base_url, "/users/{}/tokens/1/disable".format("*****@*****.**")) resp = yield http_client.fetch( fe_url, method="POST", body="", headers={"X-Grouper-User": "******"} ) # Disable token fe_url = url(base_url, "/users/{}/tokens/1/disable".format("*****@*****.**")) resp = yield http_client.fetch( fe_url, method="POST", body="", headers={"X-Grouper-User": user.username} ) assert resp.code == 200 # Verify disable fe_url = url(base_url, "/users/{}".format("*****@*****.**")) resp = yield http_client.fetch(fe_url, method="GET", headers={"X-Grouper-User": user.username}) assert resp.code == 200 assert b"Disabled token: myDHDToken" in resp.body