def test_inspect_roles_duplicate_differents_options(mocker):
from ldap2pg.manager import SyncManager, UserError
manager = SyncManager()
syncmap = [dict(roles=[
dict(names=['group0']),
dict(names=['group1']),
dict(names=['bob'], options=dict(LOGIN=True)),
dict(names=['bob'], options=dict(LOGIN=False)),
])]
with pytest.raises(UserError):
manager.inspect_ldap(syncmap=syncmap)
def test_inspect_ldap_roles(mocker):
ql = mocker.patch('ldap2pg.manager.SyncManager.query_ldap')
r = mocker.patch('ldap2pg.manager.SyncManager.process_ldap_entry')
from ldap2pg.manager import SyncManager, Role
ql.return_value = [mocker.Mock(name='entry')]
r.side_effect = [
{Role(name='alice', options=dict(SUPERUSER=True))},
{Role(name='bob')},
]
manager = SyncManager(
ldapconn=mocker.Mock(),
)
# Minimal effective syncmap
syncmap = [
dict(roles=[]),
dict(
ldap=dict(base='ou=users,dc=tld', filter='*', attributes=['cn']),
roles=[dict(), dict()],
),
]
ldaproles, _ = manager.inspect_ldap(syncmap=syncmap)
assert 2 == r.call_count, "sync did not iterate over each rules."
assert 'alice' in ldaproles
assert 'bob' in ldaproles
def test_inspect_ldap_roles(mocker):
ql = mocker.patch('ldap2pg.manager.SyncManager.query_ldap')
from ldap2pg.manager import SyncManager
from ldap2pg.role import Role
ql.return_value = [('dn', {}, {})]
manager = SyncManager(
ldapconn=mocker.Mock(),
inspector=mocker.Mock(name='inspector'),
)
manager.inspector.roles_blacklist = ['blacklisted']
rule0 = mocker.Mock(name='rule0', all_fields=[])
rule0.generate.return_value = [Role('alice', options=dict(LOGIN=True))]
rule1 = mocker.Mock(name='rule1', all_fields=[])
rule1.generate.return_value = [Role('bob')]
rule2 = mocker.Mock(name='rule2', all_fields=[])
rule2.generate.return_value = [Role('blacklisted')]
# Minimal effective syncmap
syncmap = [
dict(roles=[]),
dict(
ldap=dict(base='ou=users,dc=tld', filter='*', attributes=['cn']),
roles=[rule0, rule1, rule2],
),
]
ldaproles, _ = manager.inspect_ldap(syncmap=syncmap)
assert 'alice' in ldaproles
assert 'bob' in ldaproles
def test_inspect_ldap_unexpected_dn(mocker):
ga = mocker.patch('ldap2pg.manager.get_attribute')
ql = mocker.patch('ldap2pg.manager.SyncManager.query_ldap')
from ldap2pg.manager import SyncManager, RDNError, UserError
from ldap2pg.role import RoleRule
manager = SyncManager()
ga.side_effect = values = [
['member0_cn', RDNError(), 'member1_cn'],
]
ql.return_value = [('dn0', {}, {})]
list(
manager.inspect_ldap([
dict(
description="Test query desc",
ldap=dict(on_unexpected_dn='warn'),
roles=[RoleRule(names=['{member.cn}'])],
)
]))
ga.reset_mock()
ga.side_effect = values
list(
manager.inspect_ldap([
dict(ldap=dict(on_unexpected_dn='ignore'),
roles=[RoleRule(names=['{member.cn}'])])
]))
ga.reset_mock()
ga.side_effect = values
with pytest.raises(UserError):
list(
manager.inspect_ldap(
[dict(
ldap=dict(),
roles=[RoleRule(names=['{member.cn}'])],
)]))
def test_inspect_ldap_roles_comment_error(mocker):
ql = mocker.patch('ldap2pg.manager.SyncManager.query_ldap')
from ldap2pg.manager import SyncManager, UserError
from ldap2pg.role import CommentError
ql.return_value = [('dn', {}, {})]
rule = mocker.Mock(name='rule', all_fields=[])
rule.generate.side_effect = CommentError("message")
rule.comment.formats = ['From {desc}']
mapping = dict(
ldap=dict(base='ou=users,dc=tld', filter='*', attributes=['cn']),
roles=[rule],
)
manager = SyncManager()
with pytest.raises(UserError):
manager.inspect_ldap(syncmap=[mapping])
def test_inspect_ldap_unexpected_dn(mocker):
ql = mocker.patch('ldap2pg.manager.SyncManager.query_ldap')
from ldap2pg.manager import SyncManager, UserError, LDAPEntry
from ldap2pg.role import RoleRule
manager = SyncManager()
ql.return_value = [
LDAPEntry('dn0', {
'member': ['cn=member0', 'baddn=o0', 'cn=member1'],
})
]
list(
manager.inspect_ldap([
dict(
description="Test query desc",
ldapsearch=dict(on_unexpected_dn='warn'),
roles=[RoleRule(names=['{member.cn}'])],
)
]))
list(
manager.inspect_ldap([
dict(ldapsearch=dict(on_unexpected_dn='ignore'),
roles=[RoleRule(names=['{member.cn}'])])
]))
with pytest.raises(UserError):
list(
manager.inspect_ldap([
dict(
ldapsearch=dict(),
roles=[RoleRule(names=['{member.cn}'])],
)
]))
def test_inspect_ldap_grants(mocker):
la = mocker.patch(
'ldap2pg.manager.SyncManager.apply_grant_rules', autospec=True)
from ldap2pg.manager import SyncManager, Grant
from ldap2pg.privilege import NspAcl
from ldap2pg.utils import make_group_map
privileges = dict(ro=NspAcl(name='ro'))
la.return_value = [Grant('ro', 'postgres', None, 'alice')]
manager = SyncManager(
psql=mocker.Mock(), ldapconn=mocker.Mock(), privileges=privileges,
privilege_aliases=make_group_map(privileges)
)
syncmap = [dict(roles=[], grant=dict(privilege='ro'))]
_, grants = manager.inspect_ldap(syncmap=syncmap)
assert 1 == len(grants)
def test_inspect_ldap_missing_attribute(mocker):
ql = mocker.patch('ldap2pg.manager.SyncManager.query_ldap')
from ldap2pg.manager import SyncManager, UserError
from ldap2pg.role import RoleRule
manager = SyncManager()
# Don't return member attribute.
ql.return_value = [('dn0', {}, {})]
with pytest.raises(UserError) as ei:
list(
manager.inspect_ldap([
dict(
ldap=dict(base='...'),
# Request member attribute.
roles=[RoleRule(names=['{member.cn}'])],
)
]))
assert 'Missing attribute member' in str(ei.value)
def test_inspect_roles_merge_duplicates(mocker):
from ldap2pg.manager import SyncManager
manager = SyncManager()
syncmap = [
dict(roles=[
dict(names=['group0']),
dict(names=['group1']),
dict(names=['bob'], parents=['group0']),
dict(names=['bob'], parents=['group1']),
]),
]
ldaproles, _ = manager.inspect_ldap(syncmap=syncmap)
ldaproles = {r: r for r in ldaproles}
assert 'group0' in ldaproles
assert 'group1' in ldaproles
assert 'bob' in ldaproles
assert 3 == len(ldaproles)
assert 2 == len(ldaproles['bob'].parents)
def test_inspect_ldap_grants(mocker):
from ldap2pg.manager import SyncManager
from ldap2pg.privilege import Grant, NspAcl
from ldap2pg.utils import make_group_map
privileges = dict(ro=NspAcl(name='ro'))
manager = SyncManager(
psql=mocker.Mock(),
ldapconn=mocker.Mock(),
privileges=privileges,
privilege_aliases=make_group_map(privileges),
inspector=mocker.Mock(name='inspector'),
)
manager.inspector.roles_blacklist = ['blacklisted']
rule = mocker.Mock(name='grant')
rule.generate.return_value = [
Grant('ro', 'postgres', None, 'alice'),
Grant('ro', 'postgres', None, 'blacklisted'),
]
syncmap = [dict(roles=[], grant=[rule])]
_, grants = manager.inspect_ldap(syncmap=syncmap)
assert 1 == len(grants)