def test_service_account_fe_perms( session, standard_graph, graph, http_client, base_url # noqa: F811 ): admin = "*****@*****.**" owner = "*****@*****.**" plebe = "*****@*****.**" # Unrelated people cannot create a service account fe_url = url(base_url, "/groups/team-sre/service/create") with pytest.raises(HTTPError): yield http_client.fetch( fe_url, method="POST", headers={"X-Grouper-User": plebe}, body=urlencode({ "name": "service_account", "description": "*", "machine_set": "*" }), ) # But group members can create service accounts resp = yield http_client.fetch( fe_url, method="POST", headers={"X-Grouper-User": owner}, body=urlencode({ "name": "service_account", "description": "*", "machine_set": "*" }), ) assert resp.code == 200 # Unrelated people cannot grant a permission. fe_url = url(base_url, "/groups/team-sre/service/[email protected]/grant") with pytest.raises(HTTPError): yield http_client.fetch( fe_url, method="POST", headers={"X-Grouper-User": plebe}, body=urlencode({ "permission": "team-sre", "argument": "*" }), ) # Even group owners cannot grant an unrelated permission. resp = yield http_client.fetch( fe_url, method="POST", headers={"X-Grouper-User": owner}, body=urlencode({ "permission": "other-perm", "argument": "*" }), ) assert resp.code == 200 graph.update_from_db(session) metadata = graph.get_user_details("*****@*****.**") assert metadata["permissions"] == [] # Group owners can delegate a team permission. resp = yield http_client.fetch( fe_url, method="POST", headers={"X-Grouper-User": owner}, body=urlencode({ "permission": "team-sre", "argument": "*" }), ) assert resp.code == 200 # Global user admins still cannot grant an unrelated permission. resp = yield http_client.fetch( fe_url, method="POST", headers={"X-Grouper-User": admin}, body=urlencode({ "permission": "other-perm", "argument": "*" }), ) assert resp.code == 200 graph.update_from_db(session) metadata = graph.get_user_details("*****@*****.**") assert len(metadata["permissions"]) == 1 # But can delegate a team permission. resp = yield http_client.fetch( fe_url, method="POST", headers={"X-Grouper-User": admin}, body=urlencode({ "permission": "ssh", "argument": "*" }), ) assert resp.code == 200 # Check that the permissions are reflected in the graph. graph.update_from_db(session) metadata = graph.get_user_details("*****@*****.**") perms = [(p["permission"], p["argument"]) for p in metadata["permissions"]] assert sorted(perms) == [("ssh", "*"), ("team-sre", "*")] # Find the mapping IDs of the two permissions. service_account = ServiceAccount.get(session, name="*****@*****.**") perms = service_account_permissions(session, service_account) # Unrelated people cannot revoke a permission. fe_url = url( base_url, "/groups/team-sre/service/[email protected]/revoke/{}".format( perms[0].mapping_id)) with pytest.raises(HTTPError): yield http_client.fetch(fe_url, method="POST", headers={"X-Grouper-User": plebe}, body=urlencode({})) # But the group owner and a global admin can. resp = yield http_client.fetch(fe_url, method="POST", headers={"X-Grouper-User": admin}, body=urlencode({})) assert resp.code == 200 fe_url = url( base_url, "/groups/team-sre/service/[email protected]/revoke/{}".format( perms[1].mapping_id)) resp = yield http_client.fetch(fe_url, method="POST", headers={"X-Grouper-User": owner}, body=urlencode({})) assert resp.code == 200 # This should have removed all the permissions. graph.update_from_db(session) metadata = graph.get_user_details("*****@*****.**") assert metadata["permissions"] == []
def test_service_accounts( session, standard_graph, graph, users, groups, permissions # noqa: F811 ): # Create a service account. service_account = ServiceAccount.get(session, name="*****@*****.**") assert service_account.description == "some service account" assert service_account.machine_set == "some machines" assert service_account.user.name == "*****@*****.**" assert service_account.user.enabled == True assert service_account.user.is_service_account == True accounts = get_service_accounts(session, groups["team-sre"]) assert len(accounts) == 1 assert accounts[0].user.name == "*****@*****.**" assert is_service_account(session, service_account.user) # Duplicates should raise an exception. with pytest.raises(DuplicateServiceAccount): create_service_account(session, users["*****@*****.**"], "*****@*****.**", "dup", "dup", groups["team-sre"]) # zorkian should be able to manage the account, as should gary, but oliver (not a member of the # group) should not. assert can_manage_service_account(session, service_account, users["*****@*****.**"]) assert can_manage_service_account(session, service_account, users["*****@*****.**"]) assert not can_manage_service_account(session, service_account, users["*****@*****.**"]) # Check that the user appears in the graph. graph.update_from_db(session) metadata = graph.user_metadata["*****@*****.**"] assert metadata["enabled"] assert metadata["service_account"]["description"] == "some service account" assert metadata["service_account"]["machine_set"] == "some machines" assert metadata["service_account"]["owner"] == "team-sre" group_details = graph.get_group_details("team-sre") assert group_details["service_accounts"] == ["*****@*****.**"] # Grant a permission to the service account and check it in the graph. grant_permission_to_service_account(session, service_account, permissions["team-sre"], "*") graph.update_from_db(session) user_details = graph.get_user_details("*****@*****.**") assert user_details["permissions"][0]["permission"] == "team-sre" assert user_details["permissions"][0]["argument"] == "*" # Diabling the service account should remove the link to the group. disable_service_account(session, users["*****@*****.**"], service_account) assert service_account.user.enabled == False assert get_service_accounts(session, groups["team-sre"]) == [] # The user should also be gone from the graph and have its permissions removed. graph.update_from_db(session) group_details = graph.get_group_details("team-sre") assert "service_accounts" not in group_details metadata = graph.user_metadata["*****@*****.**"] assert not metadata["enabled"] assert "owner" not in metadata["service_account"] user_details = graph.get_user_details("*****@*****.**") assert user_details["permissions"] == [] # We can re-enable and attach to a different group. new_group = groups["security-team"] enable_service_account(session, users["*****@*****.**"], service_account, new_group) assert service_account.user.enabled == True assert get_service_accounts(session, groups["team-sre"]) == [] accounts = get_service_accounts(session, new_group) assert len(accounts) == 1 assert accounts[0].user.name == "*****@*****.**" # Check that this is reflected in the graph and the user has no permissions. graph.update_from_db(session) group_details = graph.get_group_details("security-team") assert group_details["service_accounts"] == ["*****@*****.**"] metadata = graph.user_metadata["*****@*****.**"] assert metadata["service_account"]["owner"] == "security-team" user_details = graph.get_user_details("*****@*****.**") assert user_details["permissions"] == []
def test_exclude_disabled_permissions( session, standard_graph, graph, users, groups, permissions # noqa: F811 ): """ Ensure that disabled permissions are excluded from various functions/methods that return data from the models. """ perm_ssh = get_permission(session, "ssh") perm_grant = create_permission(session, PERMISSION_GRANT) session.commit() # this user has grouper.permission.grant with argument "ssh/*" grant_permission(groups["group-admins"], perm_grant, argument="ssh/*") graph.update_from_db(session) grant_perms = [ x for x in user_permissions(session, users["*****@*****.**"]) if x.name == PERMISSION_GRANT ] assert "ssh" == filter_grantable_permissions(session, grant_perms)[0][0].name assert "ssh" in (p.name for p in get_all_permissions(session)) assert "ssh" in (p.name for p in get_all_permissions(session, include_disabled=False)) assert "ssh" in (p.name for p in get_all_permissions(session, include_disabled=True)) assert "ssh" in get_grantable_permissions(session, []) assert "team-sre" in [g[0] for g in get_groups_by_permission(session, perm_ssh)] assert get_owner_arg_list(session, perm_ssh, "*") assert "ssh" in get_owners_by_grantable_permission(session) assert "ssh" in (x[0].name for x in user_grantable_permissions(session, users["*****@*****.**"])) assert user_has_permission(session, users["*****@*****.**"], "ssh") assert "ssh" in (p.name for p in user_permissions(session, users["*****@*****.**"])) assert "ssh" in (p["permission"] for p in graph.get_group_details("team-sre")["permissions"]) assert "ssh" in (pt.name for pt in graph.get_permissions()) assert "team-sre" in graph.get_permission_details("ssh")["groups"] assert "ssh" in (p["permission"] for p in graph.get_user_details("*****@*****.**")["permissions"]) # now disable the ssh permission disable_permission(session, "ssh", users["*****@*****.**"].id) graph.update_from_db(session) grant_perms = [ x for x in user_permissions(session, users["*****@*****.**"]) if x.name == PERMISSION_GRANT ] assert not filter_grantable_permissions(session, grant_perms) assert "ssh" not in (p.name for p in get_all_permissions(session)) assert "ssh" not in (p.name for p in get_all_permissions(session, include_disabled=False)) assert "ssh" in (p.name for p in get_all_permissions(session, include_disabled=True)) assert "ssh" not in get_grantable_permissions(session, []) assert not get_groups_by_permission(session, perm_ssh) assert not get_owner_arg_list(session, perm_ssh, "*") assert "ssh" not in get_owners_by_grantable_permission(session) assert "ssh" not in ( x[0].name for x in user_grantable_permissions(session, users["*****@*****.**"]) ) assert not user_has_permission(session, users["*****@*****.**"], "ssh") assert "ssh" not in (p.name for p in user_permissions(session, users["*****@*****.**"])) assert "ssh" not in ( p["permission"] for p in graph.get_group_details("team-sre")["permissions"] ) assert "ssh" not in (pt.name for pt in graph.get_permissions()) assert not graph.get_permission_details("ssh")["groups"] assert "ssh" not in ( p["permission"] for p in graph.get_user_details("*****@*****.**")["permissions"] )