def test_require_clickthru(tmpdir: LocalPath, setup: SetupTest,
browser: Chrome) -> None:
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(url(frontend_url, "/groups"))
groups_page = GroupsViewPage(browser)
groups_page.click_create_group_button()
create_group_modal = groups_page.get_create_group_modal()
create_group_modal.set_group_name("test-group")
create_group_modal.set_join_policy(GroupJoinPolicy.CAN_JOIN)
create_group_modal.click_require_clickthru_checkbox()
create_group_modal.confirm()
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(url(frontend_url, "/groups/test-group/join"))
join_page = GroupJoinPage(browser)
join_page.set_reason("Testing")
join_page.submit()
clickthru_modal = join_page.get_clickthru_modal()
clickthru_modal.confirm()
group_page = GroupViewPage(browser)
assert group_page.current_url.endswith(
"/groups/test-group?refresh=yes")
assert group_page.find_member_row("*****@*****.**")
def test_disabling_group_clears_audit(tmpdir: LocalPath, setup: SetupTest,
browser: Chrome) -> None:
future = datetime.utcnow() + timedelta(days=60)
with setup.transaction():
setup.add_user_to_group("*****@*****.**", "some-group", role="owner")
setup.add_user_to_group("*****@*****.**", "some-group")
setup.create_permission("some-permission", audited=True)
setup.grant_permission_to_group("some-permission", "argument",
"some-group")
setup.add_user_to_group("*****@*****.**", "auditors")
setup.grant_permission_to_group(AUDIT_VIEWER, "", "auditors")
setup.grant_permission_to_group(AUDIT_MANAGER, "", "auditors")
setup.grant_permission_to_group(PERMISSION_AUDITOR, "", "auditors")
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(url(frontend_url, "/audits/create"))
create_page = AuditsCreatePage(browser)
create_page.set_end_date(future.strftime("%m/%d/%Y"))
create_page.submit()
browser.get(url(frontend_url, "/groups/some-group"))
group_page = GroupViewPage(browser)
assert group_page.subheading == "some-group AUDIT IN PROGRESS"
# Check that this created email reminder messages to the group owner. We have to refresh the
# session since otherwise SQLite may not see changes.
setup.reopen_database()
group = Group.get(setup.session, name="some-group")
assert group
expected_key = f"audit-{group.id}"
emails = setup.session.query(AsyncNotification).filter_by(
sent=False, email="*****@*****.**").all()
assert len(emails) > 0
assert all((e.key is None or e.key == expected_key for e in emails))
assert all(("Group Audit" in e.subject for e in emails))
# Now, disable the group, which should complete the audit.
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(url(frontend_url, "/groups/some-group"))
page = GroupViewPage(browser)
audit_modal = page.get_audit_modal()
audit_modal.click_close_button()
page.wait_until_audit_modal_clears()
page.click_disable_button()
modal = page.get_disable_modal()
modal.confirm()
assert page.subheading == "some-group (disabled)"
# And now all of the email messages should be marked sent except the immediate one (the one
# that wasn't created with async_send_email).
setup.reopen_database()
emails = setup.session.query(AsyncNotification).filter_by(
sent=False, email="*****@*****.**").all()
assert len(emails) == 1
assert emails[0].key is None
def test_require_clickthru(tmpdir, setup, browser):
# type: (LocalPath, SetupTest, Chrome) -> None
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(url(frontend_url, "/groups"))
groups_page = GroupsViewPage(browser)
groups_page.click_create_group_button()
create_group_modal = groups_page.get_create_group_modal()
create_group_modal.set_group_name("test-group")
create_group_modal.set_join_policy(GroupJoinPolicy.CAN_JOIN)
create_group_modal.click_require_clickthru_checkbox()
create_group_modal.confirm()
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(url(frontend_url, "/groups/test-group/join"))
join_page = GroupJoinPage(browser)
join_page.set_reason("Testing")
join_page.submit()
clickthru_modal = join_page.get_clickthru_modal()
clickthru_modal.confirm()
group_page = GroupViewPage(browser)
assert group_page.current_url.endswith("/groups/test-group?refresh=yes")
assert group_page.find_member_row("*****@*****.**")
def test_permission_grant_denied(tmpdir: LocalPath, setup: SetupTest,
browser: Chrome) -> None:
with setup.transaction():
setup.add_user_to_group("*****@*****.**", "some-group")
setup.add_user_to_group("*****@*****.**", "other-group")
setup.grant_permission_to_group("some-permission", "foo", "some-group")
setup.create_service_account("*****@*****.**", "some-group")
# Member of the owning team will get denied when trying to grant a perm the team doesn't have
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(
url(frontend_url,
"/groups/some-group/service/[email protected]/grant"))
page = ServiceAccountGrantPermissionPage(browser)
page.select_permission("some-permission (foo)")
page.set_argument("bar")
page.submit()
assert page.has_alert("Permission denied")
# Unrelated user can click the Add Permission button but will get a 403
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(
url(frontend_url,
"/groups/some-group/service/[email protected]"))
view_page = ServiceAccountViewPage(browser)
assert len(view_page.permission_rows) == 0
view_page.click_add_permission_button()
forbidden_page = ErrorPage(browser)
assert forbidden_page.heading == "Error"
assert forbidden_page.subheading == "403 Forbidden"
def test_permission_revoke_denied(tmpdir: LocalPath, setup: SetupTest,
browser: Chrome) -> None:
with setup.transaction():
setup.create_service_account("*****@*****.**", "some-group")
setup.grant_permission_to_service_account("some-permission", "*",
"*****@*****.**")
setup.create_user("*****@*****.**")
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(
url(frontend_url,
"/groups/some-group/service/[email protected]"))
page = ServiceAccountViewPage(browser)
assert page.owner == "some-group"
permission_rows = page.permission_rows
assert len(permission_rows) == 1
permission = permission_rows[0]
assert permission.permission == "some-permission"
assert permission.argument == "*"
# The button doesn't show for someone who can't manage the service account.
with pytest.raises(NoSuchElementException):
permission.click_revoke_button()
# Add the user to the group so that the revoke button will show up, and then revoke it before
# attempting to click the button. We can't just directly initiate a request to the revoke URL
# without making the button appear because Python Selenium doesn't support a test-initiated
# POST (only GET).
with setup.transaction():
setup.add_user_to_group("*****@*****.**", "some-group")
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(
url(frontend_url,
"/groups/some-group/service/[email protected]"))
page = ServiceAccountViewPage(browser)
assert page.owner == "some-group"
permission_rows = page.permission_rows
assert len(permission_rows) == 1
permission = permission_rows[0]
with setup.transaction():
setup.remove_user_from_group("*****@*****.**", "some-group")
permission.click_revoke_button()
permission_revoke_modal = page.get_revoke_permission_modal()
permission_revoke_modal.confirm()
assert page.has_text(
"The operation you tried to complete is unauthorized")
def test_request_permission(tmpdir: LocalPath, setup: SetupTest,
browser: Chrome) -> None:
with setup.transaction():
setup.add_user_to_group("*****@*****.**", "some-group", "owner")
setup.create_permission("some-permission")
setup.add_user_to_group("*****@*****.**", "admins")
setup.grant_permission_to_group(PERMISSION_GRANT, "some-permission",
"admins")
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(url(frontend_url, "/groups/some-group"))
group_page = GroupViewPage(browser)
group_page.click_request_permission_button()
request_page = PermissionRequestPage(browser)
request_page.set_permission("some-permission")
request_page.set_argument_freeform("some-argument")
request_page.set_reason("testing")
request_page.submit()
assert browser.current_url.endswith("/permissions/requests/1")
update_page = PermissionRequestUpdatePage(browser)
assert update_page.has_text("some-group")
assert update_page.has_text("some-argument")
assert update_page.has_text("testing")
def test_csp(tmpdir, setup):
# type: (LocalPath, SetupTest) -> None
with setup.transaction():
setup.create_user("*****@*****.**")
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
r = urlopen(url(frontend_url, "/"))
assert r.getcode() == 200
headers = r.info()
# Some basic sanity checks on the Content-Security-Policy.
assert "Content-Security-Policy" in headers
csp_header = str(headers["Content-Security-Policy"])
csp_directive = {}
for parameter in csp_header.split(";"):
directive, value = parameter.strip().split(None, 1)
csp_directive[directive] = value
assert csp_directive["default-src"] == "'none'"
assert "unsafe-inline" not in csp_directive["script-src"]
assert "unsafe-inline" not in csp_directive["style-src"]
assert "script" in csp_directive["require-sri-for"]
assert "style" in csp_directive["require-sri-for"]
# Make sure the cdnjs_prefix setting was honored.
settings = FrontendSettings()
assert settings.cdnjs_prefix in csp_directive["script-src"]
def test_remove_last_owner_via_audit(tmpdir: LocalPath, setup: SetupTest,
browser: Chrome) -> None:
future = datetime.utcnow() + timedelta(1)
with setup.transaction():
setup.add_user_to_group("*****@*****.**", "audited-team", role="owner")
setup.create_permission("audited", audited=True)
setup.grant_permission_to_group("audited", "", "audited-team")
setup.add_user_to_group("*****@*****.**", "auditors")
setup.add_user_to_group("*****@*****.**", "auditors", role="owner")
setup.grant_permission_to_group(AUDIT_VIEWER, "", "auditors")
setup.grant_permission_to_group(AUDIT_MANAGER, "", "auditors")
setup.grant_permission_to_group(PERMISSION_AUDITOR, "", "auditors")
setup.add_user_to_group("*****@*****.**",
"audited-team",
role="owner",
expiration=future)
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(url(frontend_url, "/audits/create"))
create_page = AuditsCreatePage(browser)
create_page.set_end_date(future.strftime("%m/%d/%Y"))
create_page.submit()
browser.get(url(frontend_url, "/groups/audited-team"))
group_page = GroupViewPage(browser)
audit_modal = group_page.get_audit_modal()
audit_modal.find_member_row("*****@*****.**").set_audit_status("remove")
audit_modal.confirm()
assert group_page.current_url.endswith("/groups/audited-team")
assert group_page.has_alert(group_ownership_policy.EXCEPTION_MESSAGE)
def test_list_pagination(tmpdir, setup, browser):
# type: (LocalPath, SetupTest, Chrome) -> None
"""Test pagination.
This forces the pagination to specific values, rather than using the page controls, since we
don't create more than 100 permissions for testing.
"""
permissions = create_test_data(setup)
settings = FrontendSettings()
settings.update_from_config(src_path("config", "dev.yaml"))
expected_permissions = [
(p.name, p.description, format_date(settings, p.created_on)) for p in permissions
]
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(url(frontend_url, "/permissions?limit=1&offset=1"))
page = PermissionsPage(browser)
seen_permissions = [(r.name, r.description, r.created_on) for r in page.permission_rows]
assert seen_permissions == sorted(expected_permissions)[1:2]
assert page.limit_label == "Limit: 1"
# Retrieve the last permission but with a larger limit to test that the limit isn't capped
# to the number of returned items.
browser.get(url(frontend_url, "/permissions?limit=10&offset=2"))
page = PermissionsPage(browser)
seen_permissions = [(r.name, r.description, r.created_on) for r in page.permission_rows]
assert seen_permissions == sorted(expected_permissions)[2:]
assert page.limit_label == "Limit: 10"
def test_view_change_audited(tmpdir, setup, browser):
# type: (LocalPath, SetupTest, Chrome) -> None
with setup.transaction():
setup.add_user_to_group("*****@*****.**", "audit-managers")
setup.grant_permission_to_group(AUDIT_MANAGER, "", "audit-managers")
setup.create_permission("some-permission", "Some permission")
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(url(frontend_url, "/permissions/some-permission"))
page = PermissionViewPage(browser)
assert not page.has_disable_permission_button
assert not page.has_audited_warning
assert page.has_enable_auditing_button
page.click_enable_auditing_button()
enable_auditing_modal = page.get_enable_auditing_modal()
enable_auditing_modal.confirm()
assert page.subheading == "some-permission"
assert page.has_audited_warning
assert not page.has_enable_auditing_button
assert page.has_disable_auditing_button
page.click_disable_auditing_button()
disable_auditing_modal = page.get_disable_auditing_modal()
disable_auditing_modal.confirm()
assert page.subheading == "some-permission"
assert not page.has_audited_warning
assert page.has_enable_auditing_button
assert not page.has_disable_auditing_button
def test_service_account_edit(tmpdir: LocalPath, setup: SetupTest,
browser: Chrome) -> None:
with setup.transaction():
setup.add_user_to_group("*****@*****.**", "some-group")
setup.create_service_account("*****@*****.**", "some-group")
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(
url(frontend_url,
"/groups/some-group/service/[email protected]"))
view_page = ServiceAccountViewPage(browser)
assert view_page.owner == "some-group"
assert view_page.description == ""
assert view_page.machine_set == ""
view_page.click_edit_button()
edit_page = ServiceAccountEditPage(browser)
edit_page.set_description("some description")
edit_page.set_machine_set("some machines bad-machine")
edit_page.submit()
assert edit_page.has_alert("machine_set")
assert edit_page.has_alert(
"[email protected] has invalid machine set")
edit_page.set_machine_set("some machines")
edit_page.submit()
assert browser.current_url.endswith(
"/groups/some-group/service/[email protected]")
assert view_page.description == "some description"
assert view_page.machine_set == "some machines"
def test_list_groups(tmpdir, setup, browser):
# type: (LocalPath, SetupTest, Chrome) -> None
with setup.transaction():
setup.create_group("one-group", "Some group", GroupJoinPolicy.CAN_JOIN)
setup.create_group("another-group", "Another group", GroupJoinPolicy.CAN_ASK)
setup.create_group("private", join_policy=GroupJoinPolicy.NOBODY)
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(url(frontend_url, "/groups"))
page = GroupsViewPage(browser)
group_row = page.find_group_row("one-group")
assert group_row.name == "one-group"
assert group_row.href == url(frontend_url, "/groups/one-group")
assert group_row.description == "Some group"
assert group_row.can_join == "Anyone"
group_row = page.find_group_row("another-group")
assert group_row.name == "another-group"
assert group_row.href == url(frontend_url, "/groups/another-group")
assert group_row.description == "Another group"
assert group_row.can_join == "Must Ask"
group_row = page.find_group_row("private")
assert group_row.name == "private"
assert group_row.href == url(frontend_url, "/groups/private")
assert group_row.description == ""
assert group_row.can_join == "Nobody"
def test_group_create(tmpdir: LocalPath, setup: SetupTest,
browser: Chrome) -> None:
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(url(frontend_url, "/groups"))
# First create a group from the view page with an error (an invalid name, doubling as a
# test that @ in group names is rejected). This should leave that page and go to the
# dedicated group creation page with the form already set up.
groups_page = GroupsViewPage(browser)
groups_page.click_create_group_button()
create_group_modal = groups_page.get_create_group_modal()
create_group_modal.set_group_name("test-group@something")
create_group_modal.set_description("some description")
create_group_modal.confirm()
create_page = GroupCreatePage(browser)
create_page.has_alert("Group names cannot contain @")
create_page.set_group_name("test-group")
create_page.submit()
view_page = GroupViewPage(browser)
assert view_page.subheading == "test-group"
row = view_page.find_member_row("*****@*****.**")
assert row.role == "owner"
assert row.href.endswith("/users/[email protected]")
def test_permission_grant_revoke(tmpdir, setup, browser):
# type: (LocalPath, SetupTest, Chrome) -> None
with setup.transaction():
setup.add_user_to_group("*****@*****.**", "some-group")
setup.grant_permission_to_group("some-permission", "foo", "some-group")
setup.create_service_account("*****@*****.**", "some-group")
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(url(frontend_url, "/groups/some-group/service/[email protected]"))
page = ServiceAccountViewPage(browser)
assert page.permission_rows == []
page.click_add_permission_button()
grant_page = ServiceAccountGrantPermissionPage(browser)
grant_page.select_permission("some-permission (foo)")
grant_page.set_argument("foo")
grant_page.submit()
page = ServiceAccountViewPage(browser)
permission_rows = page.permission_rows
assert len(permission_rows) == 1
permission = permission_rows[0]
assert permission.permission == "some-permission"
assert permission.argument == "foo"
permission.click_revoke_button()
permission_revoke_modal = page.get_revoke_permission_modal()
permission_revoke_modal.confirm()
assert page.permission_rows == []
def test_show_group(tmpdir: LocalPath, setup: SetupTest, browser: Chrome) -> None:
with setup.transaction():
setup.add_user_to_group("*****@*****.**", "team-sre", role="owner")
setup.add_user_to_group("*****@*****.**", "team-sre")
setup.grant_permission_to_group("ssh", "*", "team-sre")
setup.grant_permission_to_group("team-sre", "foo", "team-sre")
setup.grant_permission_to_group("team-sre", "bar", "team-sre")
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(url(frontend_url, "/groups/team-sre"))
page = GroupViewPage(browser)
row = page.find_member_row("*****@*****.**")
assert row.role == "owner"
assert row.href.endswith("/users/[email protected]")
row = page.find_member_row("*****@*****.**")
assert row.role == "member"
assert row.href.endswith("/users/[email protected]")
rows = page.find_permission_rows("ssh")
assert len(rows) == 1
assert rows[0].argument == "*"
assert rows[0].href.endswith("/permissions/ssh")
rows = page.find_permission_rows("team-sre")
for permission_row in rows:
assert permission_row.href.endswith("/permissions/team-sre")
assert sorted([r.argument for r in rows]) == ["bar", "foo"]
def test_permission_grant_revoke(tmpdir, setup, browser):
# type: (LocalPath, SetupTest, Chrome) -> None
with setup.transaction():
setup.add_user_to_group("*****@*****.**", "some-group")
setup.grant_permission_to_group("some-permission", "foo", "some-group")
setup.create_service_account("*****@*****.**", "some-group")
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(
url(frontend_url,
"/groups/some-group/service/[email protected]"))
page = ServiceAccountViewPage(browser)
assert page.owner == "some-group"
assert page.permission_rows == []
page.click_add_permission_button()
grant_page = ServiceAccountGrantPermissionPage(browser)
grant_page.select_permission("some-permission (foo)")
grant_page.set_argument("foo")
grant_page.submit()
assert page.owner == "some-group"
permission_rows = page.permission_rows
assert len(permission_rows) == 1
permission = permission_rows[0]
assert permission.permission == "some-permission"
assert permission.argument == "foo"
permission.click_revoke_button()
permission_revoke_modal = page.get_revoke_permission_modal()
permission_revoke_modal.confirm()
assert page.owner == "some-group"
assert page.permission_rows == []
def test_referrer_policy(tmpdir, setup):
# type: (LocalPath, SetupTest) -> None
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
r = urlopen(url(frontend_url, "/"))
assert r.getcode() == 200
headers = r.info()
assert str(headers["Referrer-Policy"]) == "same-origin"
def test_view_change_audited(tmpdir, setup, browser):
# type: (LocalPath, SetupTest, Chrome) -> None
with setup.transaction():
setup.add_user_to_group("*****@*****.**", "audit-managers")
setup.grant_permission_to_group(AUDIT_MANAGER, "", "audit-managers")
setup.create_permission("some-permission", "Some permission")
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(url(frontend_url, "/permissions/some-permission"))
page = PermissionViewPage(browser)
assert not page.has_disable_permission_button
assert not page.has_audited_warning
assert page.has_enable_auditing_button
page.click_enable_auditing_button()
enable_auditing_modal = page.get_enable_auditing_modal()
enable_auditing_modal.confirm()
assert page.subheading == "some-permission"
assert page.has_audited_warning
assert not page.has_enable_auditing_button
assert page.has_disable_auditing_button
page.click_disable_auditing_button()
disable_auditing_modal = page.get_disable_auditing_modal()
disable_auditing_modal.confirm()
assert page.subheading == "some-permission"
assert not page.has_audited_warning
assert page.has_enable_auditing_button
assert not page.has_disable_auditing_button
def test_request_options(tmpdir: LocalPath, setup: SetupTest,
browser: Chrome) -> None:
with setup.transaction():
setup.add_user_to_group("*****@*****.**", "some-group", role="owner")
setup.create_group("other-group")
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(url(frontend_url, "/groups/other-group/join"))
page = GroupJoinPage(browser)
options = [o.get_attribute("value") for o in page.get_member_options()]
assert options == ["User: [email protected]", "Group: some-group"]
page.set_reason("Testing")
page.submit()
# Now that there is a pending request, the first option should be blank and there should be
# a notice saying that there is already a pending membership request.
browser.get(url(frontend_url, "/groups/other-group/join"))
options = [o.get_attribute("value") for o in page.get_member_options()]
assert options == ["", "Group: some-group"]
alerts = page.get_alerts()
assert len(alerts) == 1
assert "already a member" in alerts[0].text
# Attempting to submit the form should fail, asking the user to select a value.
page.set_reason("Testing")
page.submit()
assert page.current_url == url(frontend_url,
"/groups/other-group/join")
def test_list_pagination(tmpdir, setup, browser):
# type: (LocalPath, SetupTest, Chrome) -> None
"""Test pagination.
This forces the pagination to specific values, rather than using the page controls, since we
don't create more than 100 permissions for testing.
"""
permissions = create_test_data(setup)
settings = FrontendSettings()
settings.update_from_config(src_path("config", "dev.yaml"))
expected_permissions = [
(p.name, p.description, format_date(settings, p.created_on)) for p in permissions
]
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(url(frontend_url, "/permissions?limit=1&offset=1"))
page = PermissionsPage(browser)
seen_permissions = [(r.name, r.description, r.created_on) for r in page.permission_rows]
assert seen_permissions == sorted(expected_permissions)[1:2]
assert page.limit_label == "Limit: 1"
# Retrieve the last permission but with a larger limit to test that the limit isn't capped
# to the number of returned items.
browser.get(url(frontend_url, "/permissions?limit=10&offset=2"))
page = PermissionsPage(browser)
seen_permissions = [(r.name, r.description, r.created_on) for r in page.permission_rows]
assert seen_permissions == sorted(expected_permissions)[2:]
assert page.limit_label == "Limit: 10"
def test_service_account_lifecycle(tmpdir: LocalPath, setup: SetupTest,
browser: Chrome) -> None:
with setup.transaction():
setup.add_user_to_group("*****@*****.**", "user-admins")
setup.add_user_to_group("*****@*****.**", "some-group")
setup.grant_permission_to_group(USER_ADMIN, "", "user-admins")
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(url(frontend_url, "/groups/user-admins"))
group_page = GroupViewPage(browser)
group_page.click_add_service_account_button()
# Test with an invalid machine set.
create_page = ServiceAccountCreatePage(browser)
create_page.set_name("my-special-service-account")
create_page.set_description("some description")
create_page.set_machine_set("some machines bad-machine")
create_page.submit()
assert create_page.has_alert("machine_set")
expected = "[email protected] has invalid machine set"
assert create_page.has_alert(expected)
# Fix the machine set but test with an invalid name.
create_page.set_name("service@service@service")
create_page.set_machine_set("some machines")
create_page.submit()
assert create_page.has_alert("name")
# Fix the name and then creation should succeed.
create_page.set_name("my-special-service-account")
create_page.submit()
view_page = ServiceAccountViewPage(browser)
assert view_page.owner == "user-admins"
assert view_page.description == "some description"
assert view_page.machine_set == "some machines"
view_page.click_disable_button()
disable_modal = view_page.get_disable_modal()
disable_modal.confirm()
browser.get(url(frontend_url, "/users"))
users_page = UsersViewPage(browser)
users_page.click_show_disabled_users_button()
users_page.click_show_service_accounts_button()
user_row = users_page.find_user_row(
"[email protected] (service)")
user_row.click()
view_page = ServiceAccountViewPage(browser)
view_page.click_enable_button()
enable_page = ServiceAccountEnablePage(browser)
enable_page.select_owner("Group: some-group")
enable_page.submit()
view_page = ServiceAccountViewPage(browser)
assert view_page.owner == "some-group"
def test_invalid_user(tmpdir, setup, browser):
# type: (LocalPath, SetupTest, Chrome) -> None
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(url(frontend_url, "/"))
page = ErrorPage(browser)
assert page.heading == "Error"
assert page.subheading == "403 Forbidden"
assert "[email protected] does not match" in page.content
def test_grant_permission(tmpdir: LocalPath, setup: SetupTest,
browser: Chrome) -> None:
with setup.transaction():
setup.add_user_to_group("*****@*****.**", "some-group")
setup.grant_permission_to_group(PERMISSION_GRANT, "some-permission",
"some-group")
setup.create_permission("some-permission")
setup.create_group("other-group")
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(url(frontend_url, "/groups/some-group"))
group_page = GroupViewPage(browser)
assert group_page.find_permission_rows("some-permission") == []
group_page.click_add_permission_button()
grant_page = PermissionGrantPage(browser)
grant_page.set_permission("some-permission")
grant_page.set_argument("foo")
grant_page.submit()
rows = group_page.find_permission_rows("some-permission")
assert len(rows) == 1
assert rows[0].argument == "foo"
# Grant a permission with surrounding and internal whitespace to test whitespace handling.
browser.get(url(frontend_url, "/groups/other-group"))
assert group_page.find_permission_rows("some-permission") == []
group_page.click_add_permission_button()
grant_page.set_permission("some-permission")
grant_page.set_argument(" arg u ment ")
grant_page.submit()
rows = group_page.find_permission_rows("some-permission")
assert len(rows) == 1
assert rows[0].argument in ("arg u ment", "arg u ment"
) # browser messes with whitespace
# Check directly in the database to make sure the whitespace is stripped, since we may not be
# able to see it via the browser. We need to explicitly reopen the database since otherwise
# SQLite doesn't always see changes written by the frontend.
setup.reopen_database()
permission_grant_repository = setup.sql_repository_factory.create_permission_grant_repository(
)
grants = permission_grant_repository.permission_grants_for_group(
"other-group")
assert grants == [
GroupPermissionGrant(
group="other-group",
permission="some-permission",
argument="arg u ment",
granted_on=ANY,
is_alias=False,
grant_id=ANY,
)
]
def test_view(tmpdir, setup, browser):
# type: (LocalPath, SetupTest, Chrome) -> None
with setup.transaction():
setup.create_permission("audited-permission", "", audited=True)
setup.create_permission("some-permission", "Some permission")
setup.create_permission("disabled-permission", "", enabled=False)
setup.grant_permission_to_group("some-permission", "", "another-group")
setup.grant_permission_to_group("some-permission", "foo", "some-group")
setup.create_service_account("*****@*****.**", "owner-group")
setup.grant_permission_to_service_account("audited-permission",
"argument",
"*****@*****.**")
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(url(frontend_url, "/permissions/some-permission/groups"))
page = PermissionViewPage(browser)
assert page.subheading == "some-permission 2 grant(s)"
assert page.description == "Some permission"
assert not page.has_disable_permission_button
assert not page.has_disable_auditing_button
assert not page.has_enable_auditing_button
assert not page.has_audited_warning
assert not page.has_disabled_warning
grants = [(r.group, r.argument)
for r in page.group_permission_grant_rows]
assert grants == [("another-group", "(unargumented)"),
("some-group", "foo")]
browser.get(
url(frontend_url, "/permissions/some-permission/service_accounts"))
page = PermissionViewPage(browser)
assert page.has_no_service_account_grants
browser.get(url(frontend_url,
"/permissions/audited-permission/groups"))
page = PermissionViewPage(browser)
assert page.subheading == "audited-permission 0 grant(s)"
assert not page.description
assert page.has_audited_warning
assert not page.has_disable_auditing_button
assert not page.has_enable_auditing_button
assert page.has_no_group_grants
browser.get(
url(frontend_url,
"/permissions/audited-permission/service_accounts"))
page = PermissionViewPage(browser)
grants = [(r.service_account, r.argument)
for r in page.service_account_permission_grant_rows]
assert grants == [("*****@*****.**", "argument")]
browser.get(url(frontend_url, "/permissions/disabled-permission"))
page = PermissionViewPage(browser)
assert page.subheading == "disabled-permission"
assert not page.has_disable_permission_button
assert page.has_disabled_warning
def test_service_account(tmpdir, setup, browser):
# type: (LocalPath, SetupTest, Chrome) -> None
with setup.transaction():
setup.create_service_account("*****@*****.**", "some-group")
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(url(frontend_url, "/"))
page = ErrorPage(browser)
assert page.heading == "Error"
assert page.subheading == "403 Forbidden"
assert "[email protected] is a service account" in page.content
def test_no_requests(tmpdir: LocalPath, setup: SetupTest, browser: Chrome) -> None:
create_permission_requests(setup)
action_permission_requests(setup)
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
request_url = "/permissions/requests?status=pending&direction=Requested+by+me"
browser.get(url(frontend_url, request_url))
page = PermissionRequestsPage(browser)
assert page.no_requests_row is not None
assert len(page.request_rows) == 0
assert len(page.status_change_rows) == 0
def test_list_create_button(tmpdir, setup, browser):
# type: (LocalPath, SetupTest, Chrome) -> None
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(url(frontend_url, "/permissions"))
page = PermissionsPage(browser)
assert not page.has_create_permission_button
with setup.transaction():
setup.grant_permission_to_group(PERMISSION_CREATE, "*", "admins")
setup.add_user_to_group("*****@*****.**", "admins")
browser.get(url(frontend_url, "/permissions?refresh=yes"))
assert page.has_create_permission_button
def test_escaped_at_sign(tmpdir: LocalPath, setup: SetupTest,
browser: Chrome) -> None:
with setup.transaction():
setup.create_service_account("*****@*****.**", "some-group")
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(
url(frontend_url,
"/groups/some-group/service/service%40svc.localhost"))
page = ServiceAccountViewPage(browser)
assert page.subheading == "Service Account: [email protected]"
assert page.owner == "some-group"
def test_disable_must_be_owner(tmpdir: LocalPath, setup: SetupTest,
browser: Chrome) -> None:
with setup.transaction():
setup.add_user_to_group("*****@*****.**", "some-group", role="owner")
setup.add_user_to_group("*****@*****.**", "some-group")
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(url(frontend_url, "/groups/some-group"))
page = GroupViewPage(browser)
with pytest.raises(NoSuchElementException):
page.click_disable_button()
def test_leave_as_last_owner(tmpdir: LocalPath, setup: SetupTest,
browser: Chrome) -> None:
with setup.transaction():
setup.add_user_to_group("*****@*****.**", "some-group", role="owner")
setup.add_user_to_group("*****@*****.**", "some-group", role="manager")
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(url(frontend_url, "/groups/some-group"))
view_page = GroupViewPage(browser)
with pytest.raises(NoSuchElementException):
view_page.click_leave_button()
def test_search_escaping(tmpdir, setup, browser):
# type: (LocalPath, SetupTest, Chrome) -> None
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(url(frontend_url, "/"))
page = UserViewPage(browser)
page.search_input.send_keys('SEARCH"><marquee>foo</marquee>')
page.click_search_button()
results_page = SearchResultsPage(browser)
with pytest.raises(NoSuchElementException):
results_page.find_element_by_tag_name("marquee")
def test_disabled_user(tmpdir, setup, browser):
# type: (LocalPath, SetupTest, Chrome) -> None
with setup.transaction():
setup.create_user("*****@*****.**")
setup.session.flush()
setup.disable_user("*****@*****.**")
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(url(frontend_url, "/"))
page = ErrorPage(browser)
assert page.heading == "Error"
assert page.subheading == "403 Forbidden"
assert "[email protected] is not an active account" in page.content
def test_request_join_unicode(tmpdir: LocalPath, setup: SetupTest,
browser: Chrome) -> None:
with setup.transaction():
setup.add_user_to_group("*****@*****.**", "some-group", "owner")
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(url(frontend_url, "/groups/some-group/join"))
page = GroupJoinPage(browser)
page.set_reason("защото причини")
page.submit()
assert browser.current_url.endswith("/groups/some-group?refresh=yes")
def test_disable(tmpdir: LocalPath, setup: SetupTest, browser: Chrome) -> None:
with setup.transaction():
setup.add_user_to_group("*****@*****.**", "some-group", role="owner")
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(url(frontend_url, "/groups/some-group"))
page = GroupViewPage(browser)
page.click_disable_button()
modal = page.get_disable_modal()
modal.confirm()
assert page.subheading == "some-group (disabled)"
def test_view(tmpdir, setup, browser):
# type: (LocalPath, SetupTest, Chrome) -> None
with setup.transaction():
setup.create_permission("audited-permission", "", audited=True)
setup.create_permission("some-permission", "Some permission")
setup.create_permission("disabled-permission", "", enabled=False)
setup.grant_permission_to_group("some-permission", "", "another-group")
setup.grant_permission_to_group("some-permission", "foo", "some-group")
setup.create_service_account("*****@*****.**", "owner-group")
setup.grant_permission_to_service_account(
"audited-permission", "argument", "*****@*****.**"
)
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(url(frontend_url, "/permissions/some-permission"))
page = PermissionViewPage(browser)
assert page.subheading == "some-permission"
assert page.description == "Some permission"
assert not page.has_disable_permission_button
assert not page.has_disable_auditing_button
assert not page.has_enable_auditing_button
assert not page.has_audited_warning
assert not page.has_disabled_warning
grants = [(r.group, r.argument) for r in page.group_permission_grant_rows]
assert grants == [("another-group", "(unargumented)"), ("some-group", "foo")]
assert page.has_no_service_account_grants
browser.get(url(frontend_url, "/permissions/audited-permission"))
page = PermissionViewPage(browser)
assert page.subheading == "audited-permission"
assert not page.description
assert page.has_audited_warning
assert not page.has_disable_auditing_button
assert not page.has_enable_auditing_button
assert page.has_no_group_grants
grants = [
(r.service_account, r.argument) for r in page.service_account_permission_grant_rows
]
assert grants == [("*****@*****.**", "argument")]
browser.get(url(frontend_url, "/permissions/disabled-permission"))
page = PermissionViewPage(browser)
assert page.subheading == "disabled-permission"
assert not page.has_disable_permission_button
assert page.has_disabled_warning
def test_limited_arguments(tmpdir, setup, browser):
# type: (LocalPath, SetupTest, Chrome) -> None
with setup.transaction():
setup.create_permission("sample.permission")
setup.create_group("grouper-administrators")
setup.add_user_to_group("*****@*****.**", "grouper-administrators")
setup.add_user_to_group("*****@*****.**", "test-group")
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(url(frontend_url, "/permissions/request?permission=sample.permission"))
page = PermissionRequestPage(browser)
page.set_select_value("group_name", "test-group")
page.set_select_value("argument", "Option A")
page.fill_field("reason", "Some testing reason")
page.submit_request()
assert browser.current_url.endswith("/permissions/requests/1")
def test_view_disable_with_grants(tmpdir, setup, browser):
# type: (LocalPath, SetupTest, Chrome) -> None
with setup.transaction():
setup.add_user_to_group("*****@*****.**", "administrators")
setup.grant_permission_to_group(PERMISSION_ADMIN, "", "administrators")
setup.grant_permission_to_group("some-permission", "argument", "some-group")
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(url(frontend_url, "/permissions/some-permission"))
page = PermissionViewPage(browser)
assert page.has_disable_permission_button
page.click_disable_permission_button()
disable_permission_modal = page.get_disable_permission_modal()
disable_permission_modal.confirm()
assert page.has_alert("cannot be disabled while it is still granted")
assert not page.has_disabled_warning
assert page.has_disable_permission_button
def test_view_disable(tmpdir, setup, browser):
# type: (LocalPath, SetupTest, Chrome) -> None
with setup.transaction():
setup.add_user_to_group("*****@*****.**", "administrators")
setup.grant_permission_to_group(PERMISSION_ADMIN, "", "administrators")
setup.create_permission("some-permission", "Some permission")
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(url(frontend_url, "/permissions/some-permission"))
page = PermissionViewPage(browser)
assert page.has_disable_permission_button
page.click_disable_permission_button()
disable_permission_modal = page.get_disable_permission_modal()
disable_permission_modal.confirm()
assert page.subheading == "some-permission"
assert page.has_disabled_warning
assert not page.has_disable_permission_button
def test_list(tmpdir, setup, browser):
# type: (LocalPath, SetupTest, Chrome) -> None
permissions = create_test_data(setup)
settings = FrontendSettings()
settings.update_from_config(src_path("config", "dev.yaml"))
expected_permissions = [
(p.name, p.description, format_date(settings, p.created_on)) for p in permissions
]
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(url(frontend_url, "/permissions"))
# Check the basic permission list.
page = PermissionsPage(browser)
seen_permissions = [(r.name, r.description, r.created_on) for r in page.permission_rows]
assert seen_permissions == sorted(expected_permissions)
assert page.heading == "Permissions"
assert page.subheading == "{} permission(s)".format(len(expected_permissions))
assert page.limit_label == "Limit: 100"
# Switch to only audited permissions.
page.click_show_audited_button()
seen_permissions = [(r.name, r.description, r.created_on) for r in page.permission_rows]
audited = [p for p in expected_permissions if p[0] == "audited-permission"]
assert seen_permissions == sorted(audited)
assert page.heading == "Audited Permissions"
assert page.subheading == "{} permission(s)".format(len(audited))
# Switch back to all permissions and sort by date.
page.click_show_all_button()
page.click_sort_by_date()
seen_permissions = [(r.name, r.description, r.created_on) for r in page.permission_rows]
expected_permissions_sorted_by_time = [
(p.name, p.description, format_date(settings, p.created_on))
for p in sorted(permissions, key=lambda p: p.created_on, reverse=True)
]
assert seen_permissions == expected_permissions_sorted_by_time
# Reverse the sort order.
page.click_sort_by_date()
seen_permissions = [(r.name, r.description, r.created_on) for r in page.permission_rows]
assert seen_permissions == list(reversed(expected_permissions_sorted_by_time))
def test_create_permission(tmpdir, setup, browser):
# type: (LocalPath, SetupTest, Chrome) -> None
with setup.transaction():
setup.add_user_to_group("*****@*****.**", "some-group")
setup.grant_permission_to_group(PERMISSION_CREATE, "foo.*", "some-group")
setup.grant_permission_to_group(PERMISSION_CREATE, "bar.baz", "some-group")
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(url(frontend_url, "/permissions"))
page = PermissionsPage(browser)
page.click_create_permission_button()
create_page = PermissionCreatePage(browser)
assert create_page.allowed_patterns == ["bar.baz", "foo.*"]
create_page.set_name("foo.bar")
create_page.set_description("testing")
create_page.form.submit()
view_page = PermissionViewPage(browser)
assert view_page.subheading == "foo.bar"
assert view_page.description == "testing"
def test_search(tmpdir, setup, browser):
# type: (LocalPath, SetupTest, Chrome) -> None
with setup.transaction():
setup.create_group("group-some")
setup.create_permission("awesome-permission")
setup.create_user("*****@*****.**")
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(url(frontend_url, "/"))
page = UserViewPage(browser)
page.search_input.send_keys("some")
page.click_search_button()
results_page = SearchResultsPage(browser)
print(results_page.root.page_source)
results = [(r.type, r.name) for r in results_page.result_rows]
assert sorted(results) == [
("Group", "group-some"),
("Permission", "awesome-permission"),
("User", "*****@*****.**"),
]
def test_list_audited_groups(tmpdir, setup, browser):
# type: (LocalPath, SetupTest, Chrome) -> None
with setup.transaction():
setup.create_group("one-group", "Some group")
setup.create_group("audited-group", "Another group")
setup.create_permission("audited", "", audited=True)
setup.grant_permission_to_group("audited", "", "audited-group")
setup.add_group_to_group("child-audited", "audited-group")
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(url(frontend_url, "/groups"))
page = GroupsViewPage(browser)
assert page.find_group_row("one-group")
assert page.find_group_row("audited-group")
assert page.find_group_row("child-audited")
page.click_show_audited_button()
row = page.find_group_row("audited-group")
assert row.audited_reason == "Direct"
row = page.find_group_row("child-audited")
assert row.audited_reason == "Inherited"
with pytest.raises(NoSuchElementException):
page.find_group_row("one-group")
def test_requesting_permission(tmpdir, setup, browser):
# type: (LocalPath, SetupTest, Chrome) -> None
with setup.transaction():
setup.create_group("dev-infra")
setup.create_group("front-end")
setup.create_permission(name="git.repo.read")
setup.create_user("*****@*****.**")
setup.add_user_to_group("*****@*****.**", "front-end")
setup.grant_permission_to_group("grouper.permission.grant", "git.repo.read", "dev-infra")
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(url(frontend_url, "/permissions/git.repo.read"))
page1 = PermissionPage(browser)
assert page1.heading == "Permissions"
assert page1.subheading == "git.repo.read"
page1.button_to_request_this_permission.click()
page2 = PermissionRequestPage(browser)
assert page2.heading == "Permissions"
assert page2.subheading == "Request Permission"
assert page2.get_option_values("group_name") == [u"", u"front-end"]
assert page2.get_option_values("permission_name") == [u"git.repo.read"]
page2.set_select_value("group_name", "front-end")
page2.fill_field("argument", "server")
page2.fill_field("reason", "So they can do development")
page2.submit_request()
text = " ".join(browser.find_element_by_tag_name("body").text.split())
assert browser.current_url.endswith("/permissions/requests/1")
assert "[email protected] pending" in text
assert (
"Group: front-end Permission: git.repo.read Argument: server "
"Reason: So they can do development Waiting for approval" in text
)
