def test_group_logdump(session, tmpdir, users, groups): # noqa: F811 groupname = "team-sre" group_id = groups[groupname].id yesterday = date.today() - timedelta(days=1) fn = tmpdir.join("out.csv").strpath call_main(session, tmpdir, "group", "log_dump", groupname, yesterday.isoformat(), "--outfile", fn) with open(fn, "r") as fh: out = fh.read() assert not out, "nothing yet" AuditLog.log(session, users["*****@*****.**"].id, "make_noise", "making some noise", on_group_id=group_id) session.commit() call_main(session, tmpdir, "group", "log_dump", groupname, yesterday.isoformat(), "--outfile", fn) with open(fn, "r") as fh: entries = [x for x in csv.reader(fh)] assert len(entries) == 1, "should capture our new audit log entry" log_time, actor, description, action, extra = entries[0] assert groupname in extra
def test_group_add_remove_owner( make_session, get_plugin_proxy, session, users, groups # noqa: F811 ): make_session.return_value = session get_plugin_proxy.return_value = PluginProxy([GroupOwnershipPolicyPlugin()]) username = "******" groupname = "team-sre" # add assert (u"User", username) not in groups[groupname].my_members() call_main(session, "group", "add_member", "--owner", groupname, username) all_members = Group.get(session, name=groupname).my_members() assert (u"User", username) in all_members _, _, _, role, _, _ = all_members[(u"User", username)] assert GROUP_EDGE_ROLES[role] == "owner" # remove (fails) call_main(session, "group", "remove_member", groupname, username) assert (u"User", username) in Group.get(session, name=groupname).my_members()
def test_sync_db_default_group( mock_get_auditors_group_name, make_session, session, users, groups # noqa: F811 ): make_session.return_value = session auditors_group = Group.get(session, name="my-auditors") assert not auditors_group, "Auditors group should not exist yet" call_main(session, "sync_db") admin_group = Group.get(session, name="grouper-administrators") assert admin_group, "Group should have been autocreated" admin_group_permission_names = [ perm[1] for perm in admin_group.my_permissions() ] for permission in (GROUP_ADMIN, PERMISSION_ADMIN, USER_ADMIN): assert permission in admin_group_permission_names, ( "Expected permission missing: %s" % permission) auditors_group = Group.get(session, name="my-auditors") assert auditors_group, "Auditors group should have been autocreated" auditors_group_permission_names = [ perm[1] for perm in auditors_group.my_permissions() ] assert PERMISSION_AUDITOR in auditors_group_permission_names, ( "Expected permission missing: %s" % PERMISSION_AUDITOR)
def test_group_logdump(session, tmpdir, users, groups): # noqa: F811 groupname = "team-sre" group_id = groups[groupname].id yesterday = date.today() - timedelta(days=1) fn = tmpdir.join("out.csv").strpath call_main( session, tmpdir, "group", "log_dump", groupname, yesterday.isoformat(), "--outfile", fn ) with open(fn, "r") as fh: out = fh.read() assert not out, "nothing yet" AuditLog.log( session, users["*****@*****.**"].id, "make_noise", "making some noise", on_group_id=group_id ) session.commit() call_main( session, tmpdir, "group", "log_dump", groupname, yesterday.isoformat(), "--outfile", fn ) with open(fn, "r") as fh: entries = [x for x in csv.reader(fh)] assert len(entries) == 1, "should capture our new audit log entry" log_time, actor, description, action, extra = entries[0] assert groupname in extra
def test_group_name_checks(session, tmpdir, users, groups): # noqa: F811 username = "******" groupname = "team-sre" # check user/group name call_main(session, tmpdir, "group", "add_member", "--member", "invalid group name", username) assert (u"User", username) not in Group.get(session, name=groupname).my_members() bad_username = "******" call_main(session, tmpdir, "group", "add_member", "--member", groupname, bad_username) assert (u"User", bad_username) not in Group.get(session, name=groupname).my_members()
def test_group_name_checks(make_session, session, users, groups): # noqa: F811 make_session.return_value = session username = "******" groupname = "team-sre" # check user/group name call_main(session, "group", "add_member", "--member", "invalid group name", username) assert (u"User", username) not in Group.get(session, name=groupname).my_members() bad_username = "******" call_main(session, "group", "add_member", "--member", groupname, bad_username) assert (u"User", bad_username) not in Group.get(session, name=groupname).my_members()
def test_group_bulk_add_remove(session, tmpdir, users, groups): # noqa: F811 groupname = "team-sre" # bulk add usernames = {"*****@*****.**", "*****@*****.**", "*****@*****.**"} call_main(session, tmpdir, "group", "add_member", "--member", groupname, *usernames) members = {u for _, u in Group.get(session, name=groupname).my_members()} assert usernames.issubset(members) # bulk remove call_main(session, tmpdir, "group", "remove_member", groupname, *usernames) members = {u for _, u in Group.get(session, name=groupname).my_members()} assert not members.intersection(usernames)
def test_group_disable_group_owner(get_plugin_proxy, session, tmpdir, users, groups): # noqa: F811 get_plugin_proxy.return_value = PluginProxy([GroupOwnershipPolicyPlugin()]) username = "******" groupname = "team-sre" # add call_main(session, tmpdir, "group", "add_member", "--owner", groupname, username) assert (u"User", username) in Group.get(session, name=groupname).my_members() # disable (fails) call_main(session, tmpdir, "user", "disable", username) assert (u"User", username) in Group.get(session, name=groupname).my_members()
def test_user_create(make_session, session, users): # noqa: F811 make_session.return_value = session # simple username = "******" call_main(session, "user", "create", username) assert User.get(session, name=username), "non-existent user should be created" # check username bad_username = "******" call_main(session, "user", "create", bad_username) assert not User.get(session, name=bad_username), "bad user should not be created" # bulk usernames = ["*****@*****.**", "*****@*****.**", "*****@*****.**"] call_main(session, "user", "create", *usernames) users = [User.get(session, name=u) for u in usernames] assert all(users), "all users created" usernames_with_one_bad = ["*****@*****.**", "*****@*****.**", "not_valid_user"] call_main(session, "user", "create", *usernames_with_one_bad) users = [User.get(session, name=u) for u in usernames_with_one_bad] assert not any(users), "one bad seed means no users created"
def test_group_add_remove_member(session, tmpdir, users, groups): # noqa: F811 username = "******" groupname = "team-sre" # add assert (u"User", username) not in groups[groupname].my_members() call_main(session, tmpdir, "group", "add_member", "--member", groupname, username) all_members = Group.get(session, name=groupname).my_members() assert (u"User", username) in all_members _, _, _, role, _, _ = all_members[(u"User", username)] assert GROUP_EDGE_ROLES[role] == "member" # remove call_main(session, tmpdir, "group", "remove_member", groupname, username) assert (u"User", username) not in Group.get(session, name=groupname).my_members()
def test_oneoff(mock_load_plugins, session, tmpdir): # noqa: F811 username = "******" other_username = "******" groupname = "fake_group" class FakeOneOff: def configure(self, service_name): pass def run(self, session, **kwargs): if kwargs.get("group"): Group.get_or_create(session, groupname=groupname) session.commit() elif kwargs.get("key") == "valuewith=": User.get_or_create(session, username=other_username) session.commit() else: User.get_or_create(session, username=username) session.commit() mock_load_plugins.return_value = [FakeOneOff()] # dry_run call_main(session, tmpdir, "oneoff", "run", "FakeOneOff") assert User.get(session, name=username) is None, "default dry_run means no writes" assert User.get(session, name=other_username) is None, '"valuewith= not in arg' assert Group.get(session, name=groupname) is None, '"group" not in arg so no group created' # not dry_run, create a user call_main(session, tmpdir, "oneoff", "run", "--no-dry_run", "FakeOneOff") assert User.get(session, name=username) is not None, "dry_run off means writes" assert User.get(session, name=other_username) is None, '"valuewith= not in arg' assert Group.get(session, name=groupname) is None, '"group" not in arg so no group created' # not dry_run, use kwarg to create a group call_main(session, tmpdir, "oneoff", "run", "--no-dry_run", "FakeOneOff", "group=1") assert User.get(session, name=username) is not None, "dry_run off means writes" assert User.get(session, name=other_username) is None, '"valuewith= not in arg' assert Group.get(session, name=groupname) is not None, '"group" in arg so group created' # invalid format for argument should result in premature system exit with pytest.raises(SystemExit): call_main(session, tmpdir, "oneoff", "run", "--no-dry_run", "FakeOneOff", "bad_arg") call_main(session, tmpdir, "oneoff", "run", "--no-dry_run", "FakeOneOff", "key=valuewith=") assert User.get(session, name=other_username) is not None, '"valuewith= in arg, create user2'
def test_group_add_remove_owner(get_plugin_proxy, session, tmpdir, users, groups): # noqa: F811 get_plugin_proxy.return_value = PluginProxy([GroupOwnershipPolicyPlugin()]) username = "******" groupname = "team-sre" # add assert (u"User", username) not in groups[groupname].my_members() call_main(session, tmpdir, "group", "add_member", "--owner", groupname, username) all_members = Group.get(session, name=groupname).my_members() assert (u"User", username) in all_members _, _, _, role, _, _ = all_members[(u"User", username)] assert GROUP_EDGE_ROLES[role] == "owner" # remove (fails) call_main(session, tmpdir, "group", "remove_member", groupname, username) assert (u"User", username) in Group.get(session, name=groupname).my_members()
def test_oneoff(mock_load_plugins, session, tmpdir): # noqa: F811 username = "******" other_username = "******" groupname = "fake_group" class FakeOneOff(object): def configure(self, service_name): pass def run(self, session, **kwargs): if kwargs.get("group"): Group.get_or_create(session, groupname=groupname) session.commit() elif kwargs.get("key") == "valuewith=": User.get_or_create(session, username=other_username) session.commit() else: User.get_or_create(session, username=username) session.commit() mock_load_plugins.return_value = [FakeOneOff()] # dry_run call_main(session, tmpdir, "oneoff", "run", "FakeOneOff") assert User.get(session, name=username) is None, "default dry_run means no writes" assert User.get(session, name=other_username) is None, '"valuewith= not in arg' assert Group.get(session, name=groupname) is None, '"group" not in arg so no group created' # not dry_run, create a user call_main(session, tmpdir, "oneoff", "run", "--no-dry_run", "FakeOneOff") assert User.get(session, name=username) is not None, "dry_run off means writes" assert User.get(session, name=other_username) is None, '"valuewith= not in arg' assert Group.get(session, name=groupname) is None, '"group" not in arg so no group created' # not dry_run, use kwarg to create a group call_main(session, tmpdir, "oneoff", "run", "--no-dry_run", "FakeOneOff", "group=1") assert User.get(session, name=username) is not None, "dry_run off means writes" assert User.get(session, name=other_username) is None, '"valuewith= not in arg' assert Group.get(session, name=groupname) is not None, '"group" in arg so group created' # invalid format for argument should result in premature system exit with pytest.raises(SystemExit): call_main(session, tmpdir, "oneoff", "run", "--no-dry_run", "FakeOneOff", "bad_arg") call_main(session, tmpdir, "oneoff", "run", "--no-dry_run", "FakeOneOff", "key=valuewith=") assert User.get(session, name=other_username) is not None, '"valuewith= in arg, create user2'
def test_group_add_remove_member(session, tmpdir, users, groups): # noqa: F811 username = "******" groupname = "team-sre" # add assert ("User", username) not in groups[groupname].my_members() call_main(session, tmpdir, "group", "add_member", "--member", groupname, username) all_members = Group.get(session, name=groupname).my_members() assert ("User", username) in all_members _, _, _, role, _, _ = all_members[("User", username)] assert GROUP_EDGE_ROLES[role] == "member" # remove call_main(session, tmpdir, "group", "remove_member", groupname, username) assert ("User", username) not in Group.get(session, name=groupname).my_members()
def test_user_public_key(make_session, session, users): # noqa: F811 make_session.return_value = session # good key username = "******" call_main(session, "user", "add_public_key", username, SSH_KEY_1) user = User.get(session, name=username) keys = get_public_keys_of_user(session, user.id) assert len(keys) == 1 assert keys[0].public_key == SSH_KEY_1 # duplicate key call_main(session, "user", "add_public_key", username, SSH_KEY_1) keys = get_public_keys_of_user(session, user.id) assert len(keys) == 1 assert keys[0].public_key == SSH_KEY_1 # bad key call_main(session, "user", "add_public_key", username, SSH_KEY_BAD) keys = get_public_keys_of_user(session, user.id) assert len(keys) == 1 assert keys[0].public_key == SSH_KEY_1
def test_user_create(session, tmpdir, users): # noqa: F811 # simple username = "******" call_main(session, tmpdir, "user", "create", username) assert User.get(session, name=username), "non-existent user should be created" # check username bad_username = "******" call_main(session, tmpdir, "user", "create", bad_username) assert not User.get(session, name=bad_username), "bad user should not be created" # bulk usernames = ["*****@*****.**", "*****@*****.**", "*****@*****.**"] call_main(session, tmpdir, "user", "create", *usernames) users = [User.get(session, name=u) for u in usernames] assert all(users), "all users created" usernames_with_one_bad = ["*****@*****.**", "*****@*****.**", "not_valid_user"] call_main(session, tmpdir, "user", "create", *usernames_with_one_bad) users = [User.get(session, name=u) for u in usernames_with_one_bad] assert not any(users), "one bad seed means no users created"
def test_user_public_key(session, tmpdir, users): # noqa: F811 # good key username = "******" call_main(session, tmpdir, "user", "add_public_key", username, SSH_KEY_1) user = User.get(session, name=username) keys = get_public_keys_of_user(session, user.id) assert len(keys) == 1 assert keys[0].public_key == SSH_KEY_1 # duplicate key call_main(session, tmpdir, "user", "add_public_key", username, SSH_KEY_1) keys = get_public_keys_of_user(session, user.id) assert len(keys) == 1 assert keys[0].public_key == SSH_KEY_1 # bad key call_main(session, tmpdir, "user", "add_public_key", username, SSH_KEY_BAD) keys = get_public_keys_of_user(session, user.id) assert len(keys) == 1 assert keys[0].public_key == SSH_KEY_1
def test_user_status_changes( make_user_session, make_group_session, session, users, groups # noqa: F811 ): make_user_session.return_value = session make_group_session.return_value = session username = "******" groupname = "team-sre" # add user to a group call_main(session, "group", "add_member", "--member", groupname, username) # disable the account call_main(session, "user", "disable", username) assert not User.get(session, name=username).enabled # double disabling is a no-op call_main(session, "user", "disable", username) assert not User.get(session, name=username).enabled # re-enable the account, preserving memberships call_main(session, "user", "enable", "--preserve-membership", username) assert User.get(session, name=username).enabled assert (u"User", username) in groups[groupname].my_members() # enabling an active account is a no-op call_main(session, "user", "enable", username) assert User.get(session, name=username).enabled # disable and re-enable without the --preserve-membership flag call_main(session, "user", "disable", username) call_main(session, "user", "enable", username) assert User.get(session, name=username).enabled assert (u"User", username) not in groups[groupname].my_members()
def test_user_status_changes(session, tmpdir, users, groups): # noqa: F811 username = "******" groupname = "team-sre" # add user to a group call_main(session, tmpdir, "group", "add_member", "--member", groupname, username) # disable the account call_main(session, tmpdir, "user", "disable", username) assert not User.get(session, name=username).enabled # double disabling is a no-op call_main(session, tmpdir, "user", "disable", username) assert not User.get(session, name=username).enabled # re-enable the account, preserving memberships call_main(session, tmpdir, "user", "enable", "--preserve-membership", username) assert User.get(session, name=username).enabled assert (u"User", username) in groups[groupname].my_members() # enabling an active account is a no-op call_main(session, tmpdir, "user", "enable", username) assert User.get(session, name=username).enabled # disable and re-enable without the --preserve-membership flag call_main(session, tmpdir, "user", "disable", username) call_main(session, tmpdir, "user", "enable", username) assert User.get(session, name=username).enabled assert (u"User", username) not in groups[groupname].my_members()
def test_service_account_create( make_session, groups, service_accounts, session, users # noqa: F811 ): make_session.return_value = session machine_set = "foo +bar -(org)" description = "this is a service account.\n\n it is for testing" security_team_group = Group.get(session, name="security-team") good_actor_username = "******" good_service_account_name = "*****@*****.**" assert ServiceAccount.get(session, name=good_service_account_name) is None assert get_service_accounts(session, security_team_group) == [] # no-op if non-existing actor call_main( session, "service_account", "--actor", "*****@*****.**", "create", good_service_account_name, security_team_group.groupname, machine_set, description, ) # ... or if bad account name call_main( session, "service_account", "--actor", good_actor_username, "create", "bad-service-account-name", security_team_group.groupname, machine_set, description, ) # ... or non-existing owner group call_main( session, "service_account", "--actor", good_actor_username, "create", good_service_account_name, "non-such-owner-group", machine_set, description, ) # make sure no change was made assert ServiceAccount.get(session, name=good_service_account_name) is None assert get_service_accounts(session, security_team_group) == [] # now it works call_main( session, "service_account", "--actor", good_actor_username, "create", good_service_account_name, security_team_group.groupname, machine_set, description, ) service_account = ServiceAccount.get(session, name=good_service_account_name) assert service_account, "non-existing account should be created" assert service_account.user.name == good_service_account_name assert service_account.machine_set == machine_set assert service_account.description == description assert get_service_accounts(session, security_team_group) == [service_account] # no-op if account name already exists call_main( session, "service_account", "--actor", good_actor_username, "create", good_service_account_name, security_team_group.groupname, machine_set, description, ) service_account = ServiceAccount.get(session, name=good_service_account_name) assert service_account, "non-account should be created" assert service_account.user.name == good_service_account_name assert service_account.machine_set == machine_set assert service_account.description == description assert get_service_accounts(session, security_team_group) == [service_account] # actor can be a service account as well call_main( session, "service_account", "--actor", "*****@*****.**", "create", "*****@*****.**", security_team_group.groupname, machine_set + "2", description + "2", ) service_account_2 = ServiceAccount.get(session, name="*****@*****.**") assert service_account_2, "non-existing account should be created" assert service_account_2.user.name == "*****@*****.**" assert service_account_2.machine_set == (machine_set + "2") assert service_account_2.description == (description + "2") assert set(get_service_accounts(session, security_team_group)) == set( [service_account, service_account_2] )
def test_service_account_create(groups, service_accounts, session, tmpdir, users): # noqa: F811 machine_set = "foo +bar -(org)" description = "this is a service account.\n\n it is for testing" security_team_group = Group.get(session, name="security-team") good_actor_username = "******" good_service_account_name = "*****@*****.**" assert ServiceAccount.get(session, name=good_service_account_name) is None assert get_service_accounts(session, security_team_group) == [] # no-op if non-existing actor call_main( session, tmpdir, "service_account", "--actor", "*****@*****.**", "create", good_service_account_name, security_team_group.groupname, machine_set, description, ) # ... or if bad account name call_main( session, tmpdir, "service_account", "--actor", good_actor_username, "create", "bad-service-account-name", security_team_group.groupname, machine_set, description, ) # ... or non-existing owner group call_main( session, tmpdir, "service_account", "--actor", good_actor_username, "create", good_service_account_name, "non-such-owner-group", machine_set, description, ) # make sure no change was made assert ServiceAccount.get(session, name=good_service_account_name) is None assert get_service_accounts(session, security_team_group) == [] # now it works call_main( session, tmpdir, "service_account", "--actor", good_actor_username, "create", good_service_account_name, security_team_group.groupname, machine_set, description, ) service_account = ServiceAccount.get(session, name=good_service_account_name) assert service_account, "non-existing account should be created" assert service_account.user.name == good_service_account_name assert service_account.machine_set == machine_set assert service_account.description == description assert get_service_accounts(session, security_team_group) == [service_account] # no-op if account name already exists call_main( session, tmpdir, "service_account", "--actor", good_actor_username, "create", good_service_account_name, security_team_group.groupname, machine_set, description, ) service_account = ServiceAccount.get(session, name=good_service_account_name) assert service_account, "non-account should be created" assert service_account.user.name == good_service_account_name assert service_account.machine_set == machine_set assert service_account.description == description assert get_service_accounts(session, security_team_group) == [service_account] # actor can be a service account as well call_main( session, tmpdir, "service_account", "--actor", "*****@*****.**", "create", "*****@*****.**", security_team_group.groupname, machine_set + "2", description + "2", ) service_account_2 = ServiceAccount.get(session, name="*****@*****.**") assert service_account_2, "non-existing account should be created" assert service_account_2.user.name == "*****@*****.**" assert service_account_2.machine_set == (machine_set + "2") assert service_account_2.description == (description + "2") assert set(get_service_accounts(session, security_team_group)) == set( [service_account, service_account_2] )