def test_ldap_search(self): """ Verify ldap search only allows if a user is in an expected group. """ # Check sunny day searches with app.app_context(): with mock.patch.dict( 'sys.modules', {'ldap': mock.MagicMock(ldap)}): mldap = sys.modules['ldap'] conn = mock.MagicMock('conn') conn.search_s = mock.MagicMock( return_value=[[ 'cn=someldapgroup,dc=example,dc=com', {'cn': ['someldapgroup']}, ]] ) conn.simple_bind_s = mock.MagicMock('simple_bind_s') mldap.initialize.return_value = conn r = callables.ldap_search( 'username', {'group': 'group1'}) print r assert r[0] assert callables.ldap_search( 'username', {'group': 'notallowed'})[0] is False # Check on error conditions # If SERVER_DOWN, LDAPError or ImportError is raised the user should # not be able to authorize with app.app_context(): with mock.patch.dict( 'sys.modules', {'ldap': mock.MagicMock(ldap)}): mldap = sys.modules['ldap'] for ex in (ImportError, mldap.SERVER_DOWN, mldap.LDAPError): mldap.initialize.side_effect = ex assert callables.ldap_search( 'username', {'group': 'group1'})[0] is False assert callables.ldap_search( 'username', {'group': 'notallowed'})[0] is False
def test_environment_flat_files(self): """ Verify ldap search only allows if a user is in an expected group. """ with app.app_context(): with mock.patch('pymongo.MongoClient') as mc: mc.db.re.playbooks.find.return_value = [{ 'execution': [{'hosts': ['host10']}]}] g.db = mc.db # This grouping should have access assert envrestrictions.environment_flat_files( 'username', '5408c8b002b67c0013ac3737', ['superadmins']) # This grouping should not have access assert envrestrictions.environment_flat_files( 'username', '5408c8b002b67c0013ac3737', ['someldapgroup']) is False
def test_ldap_search_for_unconfigured_group_fails(self): """ Verify that if the ldap group is not configured access is not granted """ with app.app_context(): with mock.patch.dict( 'sys.modules', {'ldap': mock.MagicMock(ldap)}): mldap = sys.modules['ldap'] conn = mock.MagicMock('conn') conn.search_s = mock.MagicMock( return_value=[( 'cn=thisdoesnotexist,dc=example,dc=com', {'cn': 'thisdoesnotexist'}, )] ) conn.simple_bind_s = mock.MagicMock('simple_bind_s') mldap.initialize.return_value = conn assert callables.ldap_search( 'username', {'group': 'group1'})[0] is False assert callables.ldap_search( 'username', {'group': 'notallowed'})[0] is False
def test_ldap_search_with_wildcard_access(self): """ Verify user has access to all groups if they have * listed. """ # Check sunny day searches with app.app_context(): with mock.patch.dict( 'sys.modules', {'ldap': mock.MagicMock(ldap)}): mldap = sys.modules['ldap'] conn = mock.MagicMock('conn') conn.search_s = mock.MagicMock( return_value=[( 'cn=superadmins,dc=example,dc=com', {'cn': 'superadmins'}, )] ) conn.simple_bind_s = mock.MagicMock('simple_bind_s') mldap.initialize.return_value = conn assert callables.ldap_search( 'username', {'group': 'group1'}) assert callables.ldap_search( 'username', {'group': 'howaboutthis'})