예제 #1
0
    def test_sync_user_assignments_locally_removed_assignments_are_removed_from_db(
            self):
        syncer = RBACDefinitionsDBSyncer()

        self._insert_mock_roles()

        # Initial state, no roles
        role_dbs = get_roles_for_user(user_db=self.users['user_2'])
        self.assertItemsEqual(role_dbs, [])

        # Do the sync with two roles defined
        api = UserRoleAssignmentFileFormatAPI(
            username='******',
            roles=['role_1', 'role_2'],
            file_path='assignments/user2.yaml')

        syncer.sync_users_role_assignments(role_assignment_apis=[api])

        role_dbs = get_roles_for_user(user_db=self.users['user_2'])
        self.assertEqual(len(role_dbs), 2)
        self.assertEqual(role_dbs[0], self.roles['role_1'])
        self.assertEqual(role_dbs[1], self.roles['role_2'])

        # Do the sync with one role defined (one should be removed from the db)
        api = UserRoleAssignmentFileFormatAPI(
            username='******',
            roles=['role_2'],
            file_path='assignments/user2.yaml')

        syncer.sync_users_role_assignments(role_assignment_apis=[api])

        role_dbs = get_roles_for_user(user_db=self.users['user_2'])
        self.assertEqual(len(role_dbs), 1)
        self.assertEqual(role_dbs[0], self.roles['role_2'])
예제 #2
0
    def test_sync_assignments_are_removed_user_doesnt_exist_in_db(self):
        # Make sure that the assignments for the users which don't exist in the db are correctly
        # removed
        syncer = RBACDefinitionsDBSyncer()

        self._insert_mock_roles()

        username = '******'

        # Initial state, no roles
        user_db = UserDB(name=username)
        self.assertEqual(len(User.query(name=username)), 0)
        role_dbs = get_roles_for_user(user_db=user_db)
        self.assertItemsEqual(role_dbs, [])

        # Do the sync with two roles defined
        api = UserRoleAssignmentFileFormatAPI(username=user_db.name,
                                              roles=['role_1', 'role_2'])
        syncer.sync_users_role_assignments(role_assignment_apis=[api])

        role_dbs = get_roles_for_user(user_db=user_db)
        self.assertEqual(len(role_dbs), 2)
        self.assertEqual(role_dbs[0], self.roles['role_1'])
        self.assertEqual(role_dbs[1], self.roles['role_2'])

        # Sync with no roles on disk - existing roles should be removed
        syncer.sync_users_role_assignments(role_assignment_apis=[])

        role_dbs = get_roles_for_user(user_db=user_db)
        self.assertEqual(len(role_dbs), 0)

        username = '******'

        # Initial state, no roles
        user_db = UserDB(name=username)
        self.assertEqual(len(User.query(name=username)), 0)
        role_dbs = get_roles_for_user(user_db=user_db)
        self.assertItemsEqual(role_dbs, [])

        # Do the sync with three roles defined
        api = UserRoleAssignmentFileFormatAPI(username=user_db.name,
                                              roles=['role_1', 'role_2', 'role_3'])
        syncer.sync_users_role_assignments(role_assignment_apis=[api])

        role_dbs = get_roles_for_user(user_db=user_db)
        self.assertEqual(len(role_dbs), 3)
        self.assertEqual(role_dbs[0], self.roles['role_1'])
        self.assertEqual(role_dbs[1], self.roles['role_2'])
        self.assertEqual(role_dbs[2], self.roles['role_3'])

        # Sync with one role on disk - two roles should be removed
        api = UserRoleAssignmentFileFormatAPI(username=user_db.name,
                                              roles=['role_3'])
        syncer.sync_users_role_assignments(role_assignment_apis=[api])

        role_dbs = get_roles_for_user(user_db=user_db)
        self.assertEqual(len(role_dbs), 1)
        self.assertEqual(role_dbs[0], self.roles['role_3'])
    def test_sync_user_assignments_multiple_sources_same_role_assignment(self):
        syncer = RBACDefinitionsDBSyncer()

        self._insert_mock_roles()

        # Initial state, no roles
        role_dbs = rbac_service.get_roles_for_user(
            user_db=self.users['user_2'])
        self.assertItemsEqual(role_dbs, [])

        # Do the sync with role defined in separate files
        assignment1 = UserRoleAssignmentFileFormatAPI(
            username='******',
            roles=['role_1'],
            file_path='assignments/user2a.yaml')

        assignment2 = UserRoleAssignmentFileFormatAPI(
            username='******',
            roles=['role_1'],
            file_path='assignments/user2b.yaml')

        syncer.sync_users_role_assignments(
            role_assignment_apis=[assignment1, assignment2])

        role_dbs = rbac_service.get_roles_for_user(
            user_db=self.users['user_2'])
        self.assertEqual(len(role_dbs), 1)
        self.assertEqual(role_dbs[0], self.roles['role_1'])

        role_assignment_dbs = rbac_service.get_role_assignments_for_user(
            user_db=self.users['user_2'])
        self.assertEqual(len(role_assignment_dbs), 2)

        sources = [r.source for r in role_assignment_dbs]
        self.assertIn('assignments/user2a.yaml', sources)
        self.assertIn('assignments/user2b.yaml', sources)

        # Do another sync with one assignment file removed - only one assignment should be left
        syncer.sync_users_role_assignments(role_assignment_apis=[assignment2])

        role_dbs = rbac_service.get_roles_for_user(
            user_db=self.users['user_2'])
        self.assertEqual(len(role_dbs), 1)
        self.assertEqual(role_dbs[0], self.roles['role_1'])

        role_assignment_dbs = rbac_service.get_role_assignments_for_user(
            user_db=self.users['user_2'])
        self.assertEqual(len(role_assignment_dbs), 1)

        sources = [r.source for r in role_assignment_dbs]
        self.assertIn('assignments/user2b.yaml', sources)
예제 #4
0
    def test_sync_remote_assignments_are_not_manipulated(self):
        # Verify remote assignments are not manipulated.
        syncer = RBACDefinitionsDBSyncer()

        self._insert_mock_roles()

        # Initial state, no roles
        user_db = UserDB(name='doesntexistwhaha')
        role_dbs = get_roles_for_user(user_db=user_db)
        self.assertItemsEqual(role_dbs, [])

        # Create mock remote role assignment
        role_db = self.roles['role_3']
        source = 'assignments/%s.yaml' % user_db.name
        role_assignment_db = assign_role_to_user(role_db=role_db,
                                                 user_db=user_db,
                                                 source=source,
                                                 is_remote=True)
        self.assertTrue(role_assignment_db.is_remote)

        # Verify assignment has been created
        role_dbs = get_roles_for_user(user_db=user_db)
        self.assertItemsEqual(role_dbs, [self.roles['role_3']])

        # Do the sync with two roles defined - verify remote role assignment hasn't been
        # manipulated with.
        api = UserRoleAssignmentFileFormatAPI(username=user_db.name,
                                              roles=['role_1', 'role_2'],
                                              file_path='assignments/%s.yaml' %
                                              user_db.name)

        syncer.sync_users_role_assignments(role_assignment_apis=[api])

        role_dbs = get_roles_for_user(user_db=user_db)
        self.assertEqual(len(role_dbs), 3)
        self.assertEqual(role_dbs[0], self.roles['role_1'])
        self.assertEqual(role_dbs[1], self.roles['role_2'])
        self.assertEqual(role_dbs[2], self.roles['role_3'])

        # Do sync with no roles - verify all roles except remote one are removed.
        api = UserRoleAssignmentFileFormatAPI(username=user_db.name,
                                              roles=[],
                                              file_path='assignments/%s.yaml' %
                                              user_db.name)

        syncer.sync_users_role_assignments(role_assignment_apis=[api])

        role_dbs = get_roles_for_user(user_db=user_db)
        self.assertEqual(len(role_dbs), 1)
        self.assertEqual(role_dbs[0], self.roles['role_3'])
예제 #5
0
    def test_sync_role_assignments_no_assignment_file_on_disk(self):
        syncer = RBACDefinitionsDBSyncer()

        self._insert_mock_roles()

        # Initial state, no roles
        user_db = self.users['user_3']
        role_dbs = get_roles_for_user(user_db=user_db)
        self.assertItemsEqual(role_dbs, [])

        # Do the sync with two roles defined
        api = UserRoleAssignmentFileFormatAPI(username=user_db.name,
                                              roles=['role_1', 'role_2'],
                                              file_path='assignments/%s.yaml' %
                                              user_db.name)

        syncer.sync_users_role_assignments(role_assignment_apis=[api])

        role_dbs = get_roles_for_user(user_db=user_db)
        self.assertEqual(len(role_dbs), 2)
        self.assertEqual(role_dbs[0], self.roles['role_1'])
        self.assertEqual(role_dbs[1], self.roles['role_2'])

        # Do the sync with no roles - existing assignments should be removed from the databse
        syncer.sync_users_role_assignments(role_assignment_apis=[])

        role_dbs = get_roles_for_user(user_db=user_db)
        self.assertEqual(len(role_dbs), 0)
예제 #6
0
    def test_sync_assignments_user_doesnt_exist_in_db(self):
        # Make sure that the assignments for the users which don't exist in the db are still saved
        syncer = RBACDefinitionsDBSyncer()

        self._insert_mock_roles()

        username = '******'

        # Initial state, no roles
        user_db = UserDB(name=username)
        self.assertEqual(len(User.query(name=username)), 0)
        role_dbs = get_roles_for_user(user_db=user_db)
        self.assertItemsEqual(role_dbs, [])

        # Do the sync with two roles defined
        api = UserRoleAssignmentFileFormatAPI(
            username=user_db.name,
            roles=['role_1', 'role_2'],
            file_path='assignments/foobar.yaml')

        syncer.sync_users_role_assignments(role_assignment_apis=[api])

        role_dbs = get_roles_for_user(user_db=user_db)
        self.assertEqual(len(role_dbs), 2)
        self.assertEqual(role_dbs[0], self.roles['role_1'])
        self.assertEqual(role_dbs[1], self.roles['role_2'])
예제 #7
0
    def test_sync_user_assignments_multiple_custom_roles_assignments(self):
        syncer = RBACDefinitionsDBSyncer()

        self._insert_mock_roles()

        # Initial state, no roles
        role_dbs = get_roles_for_user(user_db=self.users['user_2'])
        self.assertItemsEqual(role_dbs, [])

        # Do the sync with two roles defined
        api = UserRoleAssignmentFileFormatAPI(
            username='******',
            roles=['role_1', 'role_2'],
            file_path='assignments/user2.yaml')
        syncer.sync_users_role_assignments(role_assignment_apis=[api])

        role_dbs = get_roles_for_user(user_db=self.users['user_2'])
        self.assertEqual(len(role_dbs), 2)
        self.assertEqual(role_dbs[0], self.roles['role_1'])
        self.assertEqual(role_dbs[1], self.roles['role_2'])
        role_assignment_dbs = get_role_assignments_for_user(
            user_db=self.users['user_2'])
        self.assertEqual(len(role_assignment_dbs), 2)
        self.assertEqual(role_assignment_dbs[0].source,
                         'assignments/user2.yaml')
        self.assertEqual(role_assignment_dbs[1].source,
                         'assignments/user2.yaml')
    def test_sync_user_assignments_single_role_assignment(self):
        syncer = RBACDefinitionsDBSyncer()

        self._insert_mock_roles()

        # Initial state, no roles
        role_dbs = rbac_service.get_roles_for_user(
            user_db=self.users['user_1'])
        self.assertItemsEqual(role_dbs, [])

        # Do the sync with a single role defined
        api = UserRoleAssignmentFileFormatAPI(
            username='******',
            roles=['role_1'],
            file_path='assignments/user1.yaml')
        syncer.sync_users_role_assignments(role_assignment_apis=[api])

        role_dbs = rbac_service.get_roles_for_user(
            user_db=self.users['user_1'])
        self.assertItemsEqual(role_dbs, [self.roles['role_1']])
        role_assignment_dbs = rbac_service.get_role_assignments_for_user(
            user_db=self.users['user_1'])
        self.assertEqual(len(role_assignment_dbs), 1)
        self.assertEqual(role_assignment_dbs[0].source,
                         'assignments/user1.yaml')
예제 #9
0
파일: loader.py 프로젝트: alexmakarski/st2
    def load_user_role_assignments_from_file(self, file_path):
        """
        Load user role assignments from file.

        :param file_path: Path to the user role assignment file.
        :type file_path: ``str``

        :return: User role assignments.
        :rtype: :class:`UserRoleAssignmentFileFormatAPI`
        """
        content = self._meta_loader.load(file_path)

        user_role_assignment_api = UserRoleAssignmentFileFormatAPI(**content)
        user_role_assignment_api.validate()

        return user_role_assignment_api
예제 #10
0
파일: loader.py 프로젝트: AlexeyDeyneko/st2
    def load_user_role_assignments_from_file(self, file_path):
        """
        Load user role assignments from file.

        :param file_path: Path to the user role assignment file.
        :type file_path: ``str``

        :return: User role assignments.
        :rtype: :class:`UserRoleAssignmentFileFormatAPI`
        """
        content = self._meta_loader.load(file_path)

        if not content:
            msg = ('Role assignment file "%s" is empty and invalid' % file_path)
            raise ValueError(msg)

        user_role_assignment_api = UserRoleAssignmentFileFormatAPI(**content)
        user_role_assignment_api.validate()

        return user_role_assignment_api
예제 #11
0
    def load_user_role_assignments_from_file(self, file_path):
        """
        Load user role assignments from file.

        :param file_path: Path to the user role assignment file.
        :type file_path: ``str``

        :return: User role assignments.
        :rtype: :class:`UserRoleAssignmentFileFormatAPI`
        """
        content = self._meta_loader.load(file_path)

        if not content:
            msg = ('Role assignment file "%s" is empty and invalid' % file_path)
            raise ValueError(msg)

        user_role_assignment_api = UserRoleAssignmentFileFormatAPI(**content)
        user_role_assignment_api.file_path = file_path[file_path.rfind('assignments/'):]
        user_role_assignment_api = user_role_assignment_api.validate()

        return user_role_assignment_api
예제 #12
0
    def test_sync_user_assignments_single_role_assignment(self):
        syncer = RBACDefinitionsDBSyncer()

        self._insert_mock_roles()

        # Initial state, no roles
        role_dbs = get_roles_for_user(user_db=self.users['user_1'])
        self.assertItemsEqual(role_dbs, [])

        # Do the sync with a single role defined
        api = UserRoleAssignmentFileFormatAPI(username='******',
                                              roles=['role_1'])
        syncer.sync_users_role_assignments(role_assignment_apis=[api])

        role_dbs = get_roles_for_user(user_db=self.users['user_1'])
        self.assertItemsEqual(role_dbs, [self.roles['role_1']])
예제 #13
0
    def test_sync_user_assignments_role_doesnt_exist_in_db(self):
        syncer = RBACDefinitionsDBSyncer()

        self._insert_mock_roles()

        # Initial state, no roles
        role_dbs = get_roles_for_user(user_db=self.users['user_2'])
        self.assertItemsEqual(role_dbs, [])

        # Do the sync with role defined in separate files
        assignment1 = UserRoleAssignmentFileFormatAPI(
            username='******', roles=['doesnt_exist'], file_path='assignments/user2.yaml')

        expected_msg = ('Role "doesnt_exist" referenced in assignment file '
                        '"assignments/user2.yaml" doesn\'t exist')
        self.assertRaisesRegexp(ValueError, expected_msg, syncer.sync_users_role_assignments,
                                role_assignment_apis=[assignment1])