def test_sa_pubkeys(session, users, http_client, base_url):
user = users['*****@*****.**']
# Add account
create_role_user(session, user, '*****@*****.**', 'Hi', 'canjoin')
u = User.get(session, name="*****@*****.**")
g = Group.get(session, name="*****@*****.**")
assert u is not None
assert g is not None
assert is_role_user(session, user=u)
assert is_role_user(session, group=g)
assert get_role_user(session, user=u).group.id == g.id
assert get_role_user(session, group=g).user.id == u.id
assert not is_role_user(session, user=user)
assert not is_role_user(session, group=Group.get(session, name="team-sre"))
assert not get_public_keys_of_user(session, user.id)
with pytest.raises(HTTPError):
# add it
fe_url = url(base_url, '/users/{}/public-key/add'.format("*****@*****.**"))
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'public_key': SSH_KEY_1}),
headers={'X-Grouper-User': "******"})
# add it
fe_url = url(base_url, '/users/{}/public-key/add'.format("*****@*****.**"))
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'public_key': SSH_KEY_1}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
# add bad key -- shouldn't add
fe_url = url(base_url, '/users/{}/public-key/add'.format("*****@*****.**"))
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'public_key': SSH_KEY_BAD}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
sa = User.get(session, name="*****@*****.**")
keys = get_public_keys_of_user(session, sa.id)
assert len(keys) == 1
assert keys[0].public_key == SSH_KEY_1
with pytest.raises(HTTPError):
# delete it
fe_url = url(base_url, '/users/{}/public-key/{}/delete'.format("*****@*****.**", keys[0].id))
resp = yield http_client.fetch(fe_url, method="POST", body='',
headers={'X-Grouper-User': "******"})
# delete it
fe_url = url(base_url, '/users/{}/public-key/{}/delete'.format("*****@*****.**", keys[0].id))
resp = yield http_client.fetch(fe_url, method="POST", body='',
headers={'X-Grouper-User': user.username})
assert resp.code == 200
sa = User.get(session, name="*****@*****.**")
assert not get_public_keys_of_user(session, sa.id)
def post(self):
if "@" not in self.request.arguments["name"][0]:
self.request.arguments["name"][0] += "@" + settings.service_account_email_domain
form = RoleUserCreateForm(self.request.arguments)
if not form.validate():
return self.render(
"role-user-create.html", form=form,
alerts=self.get_form_alerts(form.errors)
)
if form.data["name"].split("@")[-1] != settings.service_account_email_domain:
form.name.errors.append("All service accounts must have a username ending in {}"
.format(settings.service_account_email_domain))
return self.render(
"role-user-create.html", form=form,
alerts=self.get_form_alerts(form.errors)
)
try:
create_role_user(self.session, self.current_user, form.data["name"],
form.data["description"], form.data["canjoin"])
except IntegrityError:
self.session.rollback()
form.name.errors.append("A user or group with name {} already exists"
.format(form.data["name"]))
return self.render(
"role-user-create.html", form=form,
alerts=self.get_form_alerts(form.errors)
)
return self.redirect("/service/{}?refresh=yes".format(form.data["name"]))
def test_sa_tokens(session, users, http_client, base_url):
user = users['*****@*****.**']
# Add account
create_role_user(session, user, '*****@*****.**', 'Hi', 'canjoin')
u = User.get(session, name="*****@*****.**")
g = Group.get(session, name="*****@*****.**")
assert u is not None
assert g is not None
assert is_role_user(session, user=u)
assert is_role_user(session, group=g)
assert get_role_user(session, user=u).group.id == g.id
assert get_role_user(session, group=g).user.id == u.id
assert not is_role_user(session, user=user)
assert not is_role_user(session, group=Group.get(session, name="team-sre"))
with pytest.raises(HTTPError):
# Add token
fe_url = url(base_url, '/users/{}/tokens/add'.format("*****@*****.**"))
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'name': 'myDHDToken'}),
headers={'X-Grouper-User': "******"})
# Add token
fe_url = url(base_url, '/users/{}/tokens/add'.format("*****@*****.**"))
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'name': 'myDHDToken'}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
# Verify add
fe_url = url(base_url, '/users/{}'.format("*****@*****.**"))
resp = yield http_client.fetch(fe_url, method="GET",
headers={'X-Grouper-User': user.username})
assert resp.code == 200
assert "Added token: myDHDToken" in resp.body
with pytest.raises(HTTPError):
# Disable token
fe_url = url(base_url, '/users/{}/tokens/1/disable'.format("*****@*****.**"))
resp = yield http_client.fetch(fe_url, method="POST",
body="",
headers={'X-Grouper-User': "******"})
# Disable token
fe_url = url(base_url, '/users/{}/tokens/1/disable'.format("*****@*****.**"))
resp = yield http_client.fetch(fe_url, method="POST",
body="",
headers={'X-Grouper-User': user.username})
assert resp.code == 200
# Verify disable
fe_url = url(base_url, '/users/{}'.format("*****@*****.**"))
resp = yield http_client.fetch(fe_url, method="GET",
headers={'X-Grouper-User': user.username})
assert resp.code == 200
assert "Disabled token: myDHDToken" in resp.body
def test_user_created_plugin(mocker, session, users, groups): # noqa: F811
"""Test calls to the user_created plugin."""
plugin = UserCreatedPlugin()
mocker.patch("grouper.models.user.get_plugin_proxy", return_value=PluginProxy([plugin]))
# Create a regular user. The service account flag should be false, and the plugin should be
# called.
user, created = User.get_or_create(session, username="******")
assert created == True
assert plugin.calls == 1
# Create a role user. This should cause another plugin call and the service account flag
# should now be true.
plugin.expected_service_account = True
create_role_user(session, user, "*****@*****.**", "description", "canask")
assert plugin.calls == 2
def test_user_created_plugin(session, users, groups):
"""Test calls to the user_created plugin."""
plugin = UserCreatedPlugin()
grouper.plugin.Plugins = [plugin]
# Create a regular user. The service account flag should be false, and the plugin should be
# called.
user, created = User.get_or_create(session, username="******")
assert created == True
assert plugin.calls == 1
# Create a role user. This should cause another plugin call and the service account flag
# should now be true.
plugin.expected_service_account = True
create_role_user(session, user, "*****@*****.**", "description", "canask")
assert plugin.calls == 2
def test_add_role_user(session, users, http_client, base_url):
user = users['*****@*****.**']
# Add account
create_role_user(session, user, '*****@*****.**', 'Hi', 'canjoin')
u = User.get(session, name="*****@*****.**")
g = Group.get(session, name="*****@*****.**")
assert u is not None
assert g is not None
assert is_role_user(session, user=u)
assert is_role_user(session, group=g)
assert get_role_user(session, user=u).group.id == g.id
assert get_role_user(session, group=g).user.id == u.id
assert not is_role_user(session, user=user)
assert not is_role_user(session, group=Group.get(session, name="team-sre"))
def test_add_role_user(session, users, http_client, base_url): # noqa: F811
user = users["*****@*****.**"]
# Add account
create_role_user(session, user, "*****@*****.**", "Hi", "canjoin")
u = User.get(session, name="*****@*****.**")
g = Group.get(session, name="*****@*****.**")
assert u is not None
assert g is not None
assert is_role_user(session, user=u)
assert is_role_user(session, group=g)
assert get_role_user(session, user=u).group.id == g.id
assert get_role_user(session, group=g).user.id == u.id
assert not is_role_user(session, user=user)
assert not is_role_user(session, group=Group.get(session, name="team-sre"))
def test_user_created_plugin(mocker, session, users, groups): # noqa: F811
"""Test calls to the user_created plugin."""
plugin = UserCreatedPlugin()
mocker.patch("grouper.models.user.get_plugin_proxy",
return_value=PluginProxy([plugin]))
# Create a regular user. The service account flag should be false, and the plugin should be
# called.
user, created = User.get_or_create(session, username="******")
assert created == True
assert plugin.calls == 1
# Create a role user. This should cause another plugin call and the service account flag
# should now be true.
plugin.expected_service_account = True
create_role_user(session, user, "*****@*****.**", "description", "canask")
assert plugin.calls == 2
def test_add_role_user(session, users, http_client, base_url):
user = users['*****@*****.**']
# Add account
create_role_user(session, user, '*****@*****.**', 'Hi', 'canjoin')
u = User.get(session, name="*****@*****.**")
g = Group.get(session, name="*****@*****.**")
assert u is not None
assert g is not None
assert is_role_user(session, user=u)
assert is_role_user(session, group=g)
assert get_role_user(session, user=u).group.id == g.id
assert get_role_user(session, group=g).user.id == u.id
assert not is_role_user(session, user=user)
assert not is_role_user(session, group=Group.get(session, name="team-sre"))
def test_remove_last_owner_of_service_account(async_server, browser, session,
users): # noqa: F811
create_role_user(session, users["*****@*****.**"], "*****@*****.**",
"things", "canask")
fe_url = url(async_server, "/service/[email protected]")
browser.get(fe_url)
page = RoleUserViewPage(browser)
row = page.find_member_row("*****@*****.**")
row.click_remove_button()
modal = page.get_remove_user_modal()
modal.confirm()
assert page.current_url.endswith("/service/[email protected]")
assert page.has_text(group_ownership_policy.EXCEPTION_MESSAGE)
def test_disable_role_user(session, users, http_client, base_url):
user = users['*****@*****.**']
# Add account
create_role_user(session, user, '*****@*****.**', 'Hi', 'canjoin')
u = User.get(session, name="*****@*****.**")
g = Group.get(session, name="*****@*****.**")
assert u is not None
assert g is not None
assert is_role_user(session, user=u)
assert is_role_user(session, group=g)
assert get_role_user(session, user=u).group.id == g.id
assert get_role_user(session, group=g).user.id == u.id
assert not is_role_user(session, user=user)
assert not is_role_user(session, group=Group.get(session, name="team-sre"))
disable_role_user(session, user=u)
u = User.get(session, name="*****@*****.**")
assert not u.enabled, "The SA User should be disabled"
g = Group.get(session, name="*****@*****.**")
assert not g.enabled, "The SA Group should be disabled"
enable_role_user(session, actor=user, group=g, preserve_membership=True)
u = User.get(session, name="*****@*****.**")
assert u.enabled, "The SA User should be enabled"
g = Group.get(session, name="*****@*****.**")
assert g.enabled, "The SA Group should be enabled"
with pytest.raises(HTTPError):
fe_url = url(base_url,
'/groups/{}/disable'.format("*****@*****.**"))
resp = yield http_client.fetch(
fe_url,
method="POST",
body="",
headers={'X-Grouper-User': user.username})
u = User.get(session, name="*****@*****.**")
assert u.enabled, "Attempting to disable SAs through groups/disable should not work"
g = Group.get(session, name="*****@*****.**")
assert g.enabled, "Attempting to disable SAs through groups/disable should not work"
fe_url = url(base_url, '/users/{}/disable'.format("*****@*****.**"))
resp = yield http_client.fetch(fe_url,
method="POST",
body="",
headers={'X-Grouper-User': user.username})
u = User.get(session, name="*****@*****.**")
assert not u.enabled, "The SA User should be disabled"
g = Group.get(session, name="*****@*****.**")
assert not g.enabled, "The SA Group should be disabled"
with pytest.raises(HTTPError):
fe_url = url(base_url, '/groups/{}/enable'.format("*****@*****.**"))
resp = yield http_client.fetch(
fe_url,
method="POST",
body="",
headers={'X-Grouper-User': user.username})
u = User.get(session, name="*****@*****.**")
assert not u.enabled, "Attempting to enable SAs through groups/enable should not work"
g = Group.get(session, name="*****@*****.**")
assert not g.enabled, "Attempting to enable SAs through groups/enable should not work"
def test_sa_tokens(session, users, http_client, base_url):
user = users['*****@*****.**']
# Add account
create_role_user(session, user, '*****@*****.**', 'Hi', 'canjoin')
u = User.get(session, name="*****@*****.**")
g = Group.get(session, name="*****@*****.**")
assert u is not None
assert g is not None
assert is_role_user(session, user=u)
assert is_role_user(session, group=g)
assert get_role_user(session, user=u).group.id == g.id
assert get_role_user(session, group=g).user.id == u.id
assert not is_role_user(session, user=user)
assert not is_role_user(session, group=Group.get(session, name="team-sre"))
with pytest.raises(HTTPError):
# Add token
fe_url = url(base_url,
'/users/{}/tokens/add'.format("*****@*****.**"))
resp = yield http_client.fetch(fe_url,
method="POST",
body=urlencode({'name': 'myDHDToken'}),
headers={'X-Grouper-User': "******"})
# Add token
fe_url = url(base_url, '/users/{}/tokens/add'.format("*****@*****.**"))
resp = yield http_client.fetch(fe_url,
method="POST",
body=urlencode({'name': 'myDHDToken'}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
# Verify add
fe_url = url(base_url, '/users/{}'.format("*****@*****.**"))
resp = yield http_client.fetch(fe_url,
method="GET",
headers={'X-Grouper-User': user.username})
assert resp.code == 200
assert "Added token: myDHDToken" in resp.body
with pytest.raises(HTTPError):
# Disable token
fe_url = url(base_url,
'/users/{}/tokens/1/disable'.format("*****@*****.**"))
resp = yield http_client.fetch(fe_url,
method="POST",
body="",
headers={'X-Grouper-User': "******"})
# Disable token
fe_url = url(base_url,
'/users/{}/tokens/1/disable'.format("*****@*****.**"))
resp = yield http_client.fetch(fe_url,
method="POST",
body="",
headers={'X-Grouper-User': user.username})
assert resp.code == 200
# Verify disable
fe_url = url(base_url, '/users/{}'.format("*****@*****.**"))
resp = yield http_client.fetch(fe_url,
method="GET",
headers={'X-Grouper-User': user.username})
assert resp.code == 200
assert "Disabled token: myDHDToken" in resp.body
def test_sa_pubkeys(session, users, http_client, base_url):
user = users['*****@*****.**']
# Add account
create_role_user(session, user, '*****@*****.**', 'Hi', 'canjoin')
u = User.get(session, name="*****@*****.**")
g = Group.get(session, name="*****@*****.**")
assert u is not None
assert g is not None
assert is_role_user(session, user=u)
assert is_role_user(session, group=g)
assert get_role_user(session, user=u).group.id == g.id
assert get_role_user(session, group=g).user.id == u.id
assert not is_role_user(session, user=user)
assert not is_role_user(session, group=Group.get(session, name="team-sre"))
assert not get_public_keys_of_user(session, user.id)
with pytest.raises(HTTPError):
# add it
fe_url = url(base_url,
'/users/{}/public-key/add'.format("*****@*****.**"))
resp = yield http_client.fetch(fe_url,
method="POST",
body=urlencode(
{'public_key': SSH_KEY_1}),
headers={'X-Grouper-User': "******"})
# add it
fe_url = url(base_url,
'/users/{}/public-key/add'.format("*****@*****.**"))
resp = yield http_client.fetch(fe_url,
method="POST",
body=urlencode({'public_key': SSH_KEY_1}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
# add bad key -- shouldn't add
fe_url = url(base_url,
'/users/{}/public-key/add'.format("*****@*****.**"))
resp = yield http_client.fetch(fe_url,
method="POST",
body=urlencode({'public_key': SSH_KEY_BAD}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
sa = User.get(session, name="*****@*****.**")
keys = get_public_keys_of_user(session, sa.id)
assert len(keys) == 1
assert keys[0].public_key == SSH_KEY_1
with pytest.raises(HTTPError):
# delete it
fe_url = url(
base_url,
'/users/{}/public-key/{}/delete'.format("*****@*****.**",
keys[0].id))
resp = yield http_client.fetch(fe_url,
method="POST",
body='',
headers={'X-Grouper-User': "******"})
# delete it
fe_url = url(
base_url,
'/users/{}/public-key/{}/delete'.format("*****@*****.**",
keys[0].id))
resp = yield http_client.fetch(fe_url,
method="POST",
body='',
headers={'X-Grouper-User': user.username})
assert resp.code == 200
sa = User.get(session, name="*****@*****.**")
assert not get_public_keys_of_user(session, sa.id)
def test_disable_role_user(session, users, http_client, base_url): # noqa: F811
user = users["*****@*****.**"]
# Add account
create_role_user(session, user, "*****@*****.**", "Hi", "canjoin")
u = User.get(session, name="*****@*****.**")
g = Group.get(session, name="*****@*****.**")
assert u is not None
assert g is not None
assert is_role_user(session, user=u)
assert is_role_user(session, group=g)
assert get_role_user(session, user=u).group.id == g.id
assert get_role_user(session, group=g).user.id == u.id
assert not is_role_user(session, user=user)
assert not is_role_user(session, group=Group.get(session, name="team-sre"))
disable_role_user(session, user=u)
u = User.get(session, name="*****@*****.**")
assert not u.enabled, "The SA User should be disabled"
g = Group.get(session, name="*****@*****.**")
assert not g.enabled, "The SA Group should be disabled"
enable_role_user(session, actor=user, group=g, preserve_membership=True)
u = User.get(session, name="*****@*****.**")
assert u.enabled, "The SA User should be enabled"
g = Group.get(session, name="*****@*****.**")
assert g.enabled, "The SA Group should be enabled"
with pytest.raises(HTTPError):
fe_url = url(base_url, "/groups/{}/disable".format("*****@*****.**"))
yield http_client.fetch(
fe_url, method="POST", body="", headers={"X-Grouper-User": user.username}
)
u = User.get(session, name="*****@*****.**")
assert u.enabled, "Attempting to disable SAs through groups/disable should not work"
g = Group.get(session, name="*****@*****.**")
assert g.enabled, "Attempting to disable SAs through groups/disable should not work"
fe_url = url(base_url, "/users/{}/disable".format("*****@*****.**"))
yield http_client.fetch(
fe_url, method="POST", body="", headers={"X-Grouper-User": user.username}
)
u = User.get(session, name="*****@*****.**")
assert not u.enabled, "The SA User should be disabled"
g = Group.get(session, name="*****@*****.**")
assert not g.enabled, "The SA Group should be disabled"
with pytest.raises(HTTPError):
fe_url = url(base_url, "/groups/{}/enable".format("*****@*****.**"))
yield http_client.fetch(
fe_url, method="POST", body="", headers={"X-Grouper-User": user.username}
)
u = User.get(session, name="*****@*****.**")
assert not u.enabled, "Attempting to enable SAs through groups/enable should not work"
g = Group.get(session, name="*****@*****.**")
assert not g.enabled, "Attempting to enable SAs through groups/enable should not work"
def test_sa_tokens(session, users, http_client, base_url): # noqa: F811
user = users["*****@*****.**"]
# Add account
create_role_user(session, user, "*****@*****.**", "Hi", "canjoin")
u = User.get(session, name="*****@*****.**")
g = Group.get(session, name="*****@*****.**")
assert u is not None
assert g is not None
assert is_role_user(session, user=u)
assert is_role_user(session, group=g)
assert get_role_user(session, user=u).group.id == g.id
assert get_role_user(session, group=g).user.id == u.id
assert not is_role_user(session, user=user)
assert not is_role_user(session, group=Group.get(session, name="team-sre"))
with pytest.raises(HTTPError):
# Add token
fe_url = url(base_url, "/users/{}/tokens/add".format("*****@*****.**"))
resp = yield http_client.fetch(
fe_url,
method="POST",
body=urlencode({"name": "myDHDToken"}),
headers={"X-Grouper-User": "******"},
)
# Add token
fe_url = url(base_url, "/users/{}/tokens/add".format("*****@*****.**"))
resp = yield http_client.fetch(
fe_url,
method="POST",
body=urlencode({"name": "myDHDToken"}),
headers={"X-Grouper-User": user.username},
)
assert resp.code == 200
# Verify add
fe_url = url(base_url, "/users/{}".format("*****@*****.**"))
resp = yield http_client.fetch(fe_url, method="GET", headers={"X-Grouper-User": user.username})
assert resp.code == 200
assert b"Added token: myDHDToken" in resp.body
with pytest.raises(HTTPError):
# Disable token
fe_url = url(base_url, "/users/{}/tokens/1/disable".format("*****@*****.**"))
resp = yield http_client.fetch(
fe_url, method="POST", body="", headers={"X-Grouper-User": "******"}
)
# Disable token
fe_url = url(base_url, "/users/{}/tokens/1/disable".format("*****@*****.**"))
resp = yield http_client.fetch(
fe_url, method="POST", body="", headers={"X-Grouper-User": user.username}
)
assert resp.code == 200
# Verify disable
fe_url = url(base_url, "/users/{}".format("*****@*****.**"))
resp = yield http_client.fetch(fe_url, method="GET", headers={"X-Grouper-User": user.username})
assert resp.code == 200
assert b"Disabled token: myDHDToken" in resp.body