def test_delete_group_with_auth_but_no_perms(self):
grp = Group(name='freddy')
db.session.add(grp)
db.session.commit()
response = self.client.delete(
'/api/v1/groups/freddy',
headers={
'Authorization':
'Basic {}'.format(
base64.b64encode(b'AKIDEXAMPLE2:password').decode('utf-8'))
},
content_type='application/json',
)
assert response.status_code == 403
assert json.loads(response.get_data(as_text=True)) == {
'errors': {
'authorization': 'NotPermitted'
}
}
args, kwargs = self.audit_log.call_args_list[0]
assert args[0] == 'DeleteGroup'
assert kwargs['extra'] == {
'request-id': 'a823a206-95a0-4666-b464-93b9f0606d7b',
'http.status': 403,
'errors': {
'authorization': 'NotPermitted'
},
'request.group': 'freddy',
}
def setUp(self):
super().setUp()
group = Group(name='test-group')
group.users.append(self.user2)
db.session.add(group)
db.session.commit()
def test_get_group_with_auth(self):
grp = Group(name='devs')
db.session.add(grp)
db.session.commit()
response = self.client.get(
'/api/v1/groups/devs',
headers={
'Authorization':
'Basic {}'.format(
base64.b64encode(b'AKIDEXAMPLE:password').decode('utf-8'))
},
content_type='application/json',
)
assert response.status_code == 200
assert json.loads(response.get_data(as_text=True)) == {
'id': 'devs',
'name': 'devs'
}
args, kwargs = self.audit_log.call_args_list[0]
assert args[0] == 'GetGroup'
assert kwargs['extra'] == {
'request-id': 'a823a206-95a0-4666-b464-93b9f0606d7b',
'http.status': 200,
'request.group': 'devs',
}
def setUp(self):
super().setUp()
group = Group(name='test-group')
db.session.add(group)
gp = GroupPolicy(name='test-policy', policy={}, group=group)
db.session.add(gp)
db.session.commit()
def post(self, audit_ctx):
args = group_parser.parse_args()
audit_ctx['request.group'] = args['name']
internal_authorize('CreateGroup', format_arn('groups', args['name']))
group = Group(
name=args['name'],
)
db.session.add(group)
db.session.commit()
return jsonify(marshal(group, group_fields))
def test_authorize_service_by_group(self):
with self.backend.app_context():
group = Group(name='team')
group.users.append(self.user)
db.session.add(group)
policy = GroupPolicy(name='myserver',
group=group,
policy={
'Version':
'2012-10-17',
'Statement': [{
'Action': 'myservice:*',
'Resource': '*',
'Effect': 'Allow',
}]
})
db.session.add(policy)
db.session.commit()
response = self.client.post(
'/api/v1/services/myservice/authorize-by-token',
data=json.dumps({
'region':
'europe',
'permit': {
'LaunchRocket': ['arn:myservice:rockets/thrift'],
},
'headers': [('Authorization', 'Basic {}'.format(
base64.b64encode(b'AKIDEXAMPLE:password').decode('utf-8')))
],
'context': {},
}),
headers={
'Authorization':
'Basic {}'.format(
base64.b64encode(b'AKIDEXAMPLE:password').decode('utf-8'))
},
content_type='application/json',
)
assert response.status_code == 200
assert json.loads(response.get_data(as_text=True)) == {
'Authorized': True,
'Identity': 'charles',
'Permitted': {
'LaunchRocket': ['arn:myservice:rockets/thrift']
},
'NotPermitted': {},
}
args, kwargs = self.audit_log.call_args_list[-1]
assert args[0] == 'AuthorizeByToken'
assert kwargs['extra'] == {
'request-id':
'a823a206-95a0-4666-b464-93b9f0606d7b',
'http.status':
200,
'request.service':
'myservice',
'request.permit':
format_json({
'LaunchRocket': ['arn:myservice:rockets/thrift'],
}),
'request.region':
'europe',
'request.actions': ['myservice:LaunchRocket'],
'request.resources': ['arn:myservice:rockets/thrift'],
'request.headers': ['Authorization: ** NOT LOGGED **'],
'request.context': {},
'response.authorized':
True,
'response.identity':
'charles',
'response.permitted':
format_json({'LaunchRocket': ['arn:myservice:rockets/thrift']}),
'response.not-permitted':
format_json({}),
}
def test_repr(self):
group = Group(name='my-user')
assert str(group) == '<Group \'my-user\'>'