def grantable_permissions(session, standard_graph):
perm_grant, _ = Permission.get_or_create(session, name=PERMISSION_GRANT, description="")
perm0, _ = Permission.get_or_create(session, name="grantable", description="")
perm1, _ = Permission.get_or_create(session, name="grantable.one", description="")
perm2, _ = Permission.get_or_create(session, name="grantable.two", description="")
session.commit()
return perm_grant, perm0, perm1, perm2
def permissions(session):
permissions = {
permission: Permission.get_or_create(
session, name=permission, description="{} permission".format(permission))[0]
for permission in ("ssh", "sudo")
}
session.commit()
return permissions
def permissions(session):
permissions = {
permission: Permission.get_or_create(
session, name=permission, description="{} permission".format(permission))[0]
for permission in ("ssh", "sudo", "audited", PERMISSION_AUDITOR)
}
permissions["audited"].enable_auditing()
session.commit()
return permissions
def permissions(session):
permissions = {
permission: Permission.get_or_create(
session,
name=permission,
description="{} permission".format(permission))[0]
for permission in ("ssh", "sudo", "audited", PERMISSION_AUDITOR)
}
permissions["audited"].enable_auditing()
session.commit()
return permissions
def test_permission_grant_to_owners(session, standard_graph, groups, grantable_permissions):
"""Test we're getting correct owners according to granted
'grouper.permission.grant' permissions."""
perm_grant, _, perm1, perm2 = grantable_permissions
assert not get_owners_by_grantable_permission(session), 'nothing to begin with'
# grant a grant on a non-existent permission
grant_permission(groups["auditors"], perm_grant, argument="notgrantable.one")
assert not get_owners_by_grantable_permission(session), 'ignore grants for non-existent perms'
# grant a wildcard grant -- make sure all permissions are represented and
# the grant isn't inherited
grant_permission(groups["all-teams"], perm_grant, argument="grantable.*")
owners_by_arg_by_perm = get_owners_by_grantable_permission(session)
expected = [groups['all-teams']]
assert owners_by_arg_by_perm[perm1.name]['*'] == expected, 'grants are not inherited'
assert len(owners_by_arg_by_perm) == 2
assert len(owners_by_arg_by_perm[perm1.name]) == 1
assert len(owners_by_arg_by_perm[perm2.name]) == 1
# grant on argument substring
grant_permission(groups["team-sre"], perm_grant, argument="{}/somesubstring*".format(
perm1.name))
owners_by_arg_by_perm = get_owners_by_grantable_permission(session)
expected = [groups['all-teams']]
assert owners_by_arg_by_perm[perm1.name]['*'] == expected
expected = [groups["team-sre"]]
assert owners_by_arg_by_perm[perm1.name]['somesubstring*'] == expected
# make sure get_owner() respect substrings
res = [o for o, a in get_owner_arg_list(session, perm1, "somesubstring",
owners_by_arg_by_perm=owners_by_arg_by_perm)]
assert (sorted(res) == sorted([groups["all-teams"], groups["team-sre"]]),
"should include substring wildcard matches")
res = [o for o, a in get_owner_arg_list(session, perm1, "othersubstring",
owners_by_arg_by_perm=owners_by_arg_by_perm)]
assert sorted(res) == [groups["all-teams"]], "negative test of substring wildcard matches"
# permission admins have all the power
perm_admin, _ = Permission.get_or_create(session, name=PERMISSION_ADMIN, description="")
session.commit()
grant_permission(groups["security-team"], perm_admin)
owners_by_arg_by_perm = get_owners_by_grantable_permission(session)
all_permissions = Permission.get_all(session)
for perm in all_permissions:
assert perm.name in owners_by_arg_by_perm, 'all permission should be represented'
assert groups["security-team"] in owners_by_arg_by_perm[perm.name]["*"], \
'permission admin should be wildcard owners'
def user_admin_perm_to_auditors(session, groups):
"""Adds a USER_ADMIN permission to the "auditors" group"""
user_admin_perm, is_new = Permission.get_or_create(session, name=USER_ADMIN, description="")
session.commit()
grant_permission(groups["auditors"], user_admin_perm)
