def test_fetch_auth_db(self):
# Create AuthGlobalConfig.
global_config = model.AuthGlobalConfig(key=model.root_key())
global_config.oauth_client_id = '1'
global_config.oauth_client_secret = 'secret'
global_config.oauth_additional_client_ids = ['2', '3']
global_config.put()
# Create a bunch of (empty) groups.
groups = [
model.AuthGroup(key=model.group_key('Group A')),
model.AuthGroup(key=model.group_key('Group B')),
]
for group in groups:
group.put()
# And a bunch of secrets (local and global).
local_secrets = [
model.AuthSecret.bootstrap('local%d' % i, 'local')
for i in (0, 1, 2)
]
global_secrets = [
model.AuthSecret.bootstrap('global%d' % i, 'global')
for i in (0, 1, 2)
]
# And IP whitelist.
ip_whitelist_assignments = model.AuthIPWhitelistAssignments(
key=model.ip_whitelist_assignments_key(),
assignments=[
model.AuthIPWhitelistAssignments.Assignment(
identity=model.Anonymous,
ip_whitelist='some ip whitelist',
),
])
ip_whitelist_assignments.put()
some_ip_whitelist = model.AuthIPWhitelist(
key=model.ip_whitelist_key('some ip whitelist'),
subnets=['127.0.0.1/32'])
bots_ip_whitelist = model.AuthIPWhitelist(
key=model.ip_whitelist_key('bots'), subnets=['127.0.0.1/32'])
some_ip_whitelist.put()
bots_ip_whitelist.put()
# This all stuff should be fetched into AuthDB.
auth_db = api.fetch_auth_db()
self.assertEqual(global_config, auth_db.global_config)
self.assertEqual(set(g.key.id() for g in groups), set(auth_db.groups))
self.assertEqual(set(s.key.id() for s in local_secrets),
set(auth_db.secrets['local']))
self.assertEqual(set(s.key.id() for s in global_secrets),
set(auth_db.secrets['global']))
self.assertEqual(ip_whitelist_assignments,
auth_db.ip_whitelist_assignments)
self.assertEqual(
{
'bots': bots_ip_whitelist,
'some ip whitelist': some_ip_whitelist
}, auth_db.ip_whitelists)
def test_nested_groups_cycle(self):
# Groups that nest each other.
group1 = model.AuthGroup(id='Group1')
group1.nested.append('Group2')
group2 = model.AuthGroup(id='Group2')
group2.nested.append('Group1')
# Collect error messages.
errors = []
self.mock(api.logging, 'error', lambda *args: errors.append(args))
# This should not hang, but produce error message.
auth_db = api.AuthDB(groups=[group1, group2])
self.assertFalse(auth_db.is_group_member('Group1', model.Anonymous))
self.assertEqual(1, len(errors))
def test_get_group(self):
g = model.AuthGroup(
key=model.group_key('group'),
members=[
model.Identity.from_bytes('user:[email protected]'),
model.Identity.from_bytes('user:[email protected]'),
],
globs=[model.IdentityGlob.from_bytes('user:*')],
nested=['blah'],
created_by=model.Identity.from_bytes('user:[email protected]'),
created_ts=datetime.datetime(2014, 1, 2, 3, 4, 5),
modified_by=model.Identity.from_bytes('user:[email protected]'),
modified_ts=datetime.datetime(2015, 1, 2, 3, 4, 5))
db = api.AuthDB(groups=[g])
# Unknown group.
self.assertIsNone(db.get_group('blah'))
# Known group.
from_cache = db.get_group('group')
self.assertEqual(from_cache.key, g.key)
# Members list is sorted.
self.assertEqual(from_cache.members, [
model.Identity.from_bytes('user:[email protected]'),
model.Identity.from_bytes('user:[email protected]'),
])
# Fields that are know to be different.
exclude = ['members', 'auth_db_rev', 'auth_db_prev_rev']
self.assertEqual(from_cache.to_dict(exclude=exclude),
g.to_dict(exclude=exclude))
def make_group(name, comment, **kwargs):
group = model.AuthGroup(key=model.group_key(name), **kwargs)
group.record_revision(
modified_by=ident('*****@*****.**'),
modified_ts=utils.utcnow(),
comment=comment)
group.put()
def make_auth_db():
model.AuthGlobalConfig(key=model.root_key()).put()
model.AuthIPWhitelistAssignments(
key=model.ip_whitelist_assignments_key()).put()
model.AuthGroup(key=model.group_key('A group')).put()
model.AuthIPWhitelist(key=model.ip_whitelist_key('A whitelist')).put()
model.replicate_auth_db()
def test_group_serialization(self):
"""Serializing snapshot with non-trivial AuthGroup."""
group = model.AuthGroup(
key=model.group_key('some-group'),
members=[
model.Identity.from_bytes('user:[email protected]'),
model.Identity.from_bytes('user:[email protected]'),
],
globs=[model.IdentityGlob.from_bytes('user:*@example.com')],
nested=['Group A', 'Group B'],
description='Blah blah blah',
created_ts=datetime.datetime(2020, 1, 1, 1, 1, 1),
created_by=model.Identity.from_bytes('user:[email protected]'),
modified_ts=datetime.datetime(2020, 2, 2, 2, 2, 2),
modified_by=model.Identity.from_bytes('user:[email protected]'),
)
auth_db = make_auth_db_proto(groups=[group])
self.assertEqual(list(auth_db.groups), [
replication_pb2.AuthGroup(
name='some-group',
members=['user:[email protected]', 'user:[email protected]'],
globs=['user:*@example.com'],
nested=['Group A', 'Group B'],
description='Blah blah blah',
created_ts=1577840461000000,
created_by='user:[email protected]',
modified_ts=1580608922000000,
modified_by='user:[email protected]',
owners='administrators',
)
])
def make_group(group_id, nested=(), owners=model.ADMIN_GROUP, store=True):
"""Makes a new AuthGroup to use in test, puts it in datastore."""
entity = model.AuthGroup(
key=model.group_key(group_id), nested=nested, owners=owners)
if store:
entity.put()
return entity
def mock_group(group, members):
"""Creates new group entity in the datastore."""
members = [
model.Identity.from_bytes(m) if isinstance(m, basestring) else m
for m in members
]
model.AuthGroup(key=model.group_key(group), members=members).put()
def test_nested_groups_cycle(self):
# Groups that nest each other.
group1 = model.AuthGroup(id='Group1')
group1.nested.append('Group2')
group2 = model.AuthGroup(id='Group2')
group2.nested.append('Group1')
# Collect warnings.
warnings = []
self.mock(api.logging, 'warning',
lambda msg, *_args: warnings.append(msg))
# This should not hang, but produce error message.
auth_db = api.AuthDB(groups=[group1, group2])
self.assertFalse(auth_db.is_group_member('Group1', model.Anonymous))
self.assertEqual(1, len(warnings))
self.assertTrue('Cycle in a group graph' in warnings[0])
def create_group(group_name):
ent = model.AuthGroup(key=model.group_key(group_name),
members=imported_groups[group_name],
created_ts=timestamp,
created_by=auth.get_service_self_identity(),
modified_ts=timestamp,
modified_by=auth.get_service_self_identity())
to_put.append(ent)
def test_not_real_nested_group_cycle_aka_issue_251(self):
# See https://github.com/luci/luci-py/issues/251.
#
# B -> A, C -> [B, A]. When traversing C, A is seen twice, and this is fine.
group_A = model.AuthGroup(id='A')
group_B = model.AuthGroup(id='B')
group_C = model.AuthGroup(id='C')
group_B.nested = ['A']
group_C.nested = ['A', 'B']
db = api.AuthDB(groups=[group_A, group_B, group_C])
# 'is_group_member' must not report 'Cycle in a group graph' warning.
warnings = []
self.mock(api.logging, 'warning', lambda msg, *_args: warnings.append(msg))
self.assertFalse(db.is_group_member('C', model.Anonymous))
self.assertFalse(warnings)
def create_group(group_name):
assert group_name.startswith('%s/' % system_name), group_name
ent = model.AuthGroup(key=model.group_key(group_name),
members=imported_groups[group_name],
created_ts=timestamp,
created_by=provided_by,
modified_ts=timestamp,
modified_by=provided_by)
to_put.append(ent)
def setUp(self):
super(MembershipTest, self).setUp()
api.reset_local_state()
self.mock(api, 'is_admin', lambda *_: True)
model.AuthGroup(key=model.group_key('testgroup'), members=[]).put()
def is_group_member_mock(group, identity):
group = model.group_key(group).get()
return group is not None and identity in group.members
self.mock(api, 'is_group_member', is_group_member_mock)
def group(name, members, nested=None):
return model.AuthGroup(
key=model.group_key(name),
created_by=ident('admin'),
created_ts=datetime.datetime(1999, 1, 2, 3, 4, 5, 6),
modified_by=ident('admin'),
modified_ts=datetime.datetime(1999, 1, 2, 3, 4, 5, 6),
members=[ident(x) for x in members],
nested=nested or [])
def test_is_group_member(self):
# Test identity.
joe = model.Identity(model.IDENTITY_USER, '*****@*****.**')
# Group that includes joe via glob.
with_glob = model.AuthGroup(id='WithGlob')
with_glob.globs.append(
model.IdentityGlob(model.IDENTITY_USER, '*@example.com'))
# Group that includes joe via explicit listing.
with_listing = model.AuthGroup(id='WithListing')
with_listing.members.append(joe)
# Group that includes joe via nested group.
with_nesting = model.AuthGroup(id='WithNesting')
with_nesting.nested.append('WithListing')
# Creates AuthDB with given list of groups and then runs the check.
is_member = (lambda groups, identity, group: api.AuthDB(groups=groups).
is_group_member(group, identity))
# Wildcard group includes everyone (even anonymous).
self.assertTrue(is_member([], joe, '*'))
self.assertTrue(is_member([], model.Anonymous, '*'))
# An unknown group includes nobody.
self.assertFalse(is_member([], joe, 'Missing'))
self.assertFalse(is_member([], model.Anonymous, 'Missing'))
# Globs are respected.
self.assertTrue(is_member([with_glob], joe, 'WithGlob'))
self.assertFalse(is_member([with_glob], model.Anonymous, 'WithGlob'))
# Members lists are respected.
self.assertTrue(is_member([with_listing], joe, 'WithListing'))
self.assertFalse(
is_member([with_listing], model.Anonymous, 'WithListing'))
# Nested groups are respected.
self.assertTrue(
is_member([with_nesting, with_listing], joe, 'WithNesting'))
self.assertFalse(
is_member([with_nesting, with_listing], model.Anonymous,
'WithNesting'))
def modify(name, commit=True, **kwargs):
k = model.group_key(name)
e = k.get()
if not e:
e = model.AuthGroup(key=k,
created_by=ident_a,
created_ts=utils.utcnow())
e.record_revision(modified_by=ident_a,
modified_ts=utils.utcnow(),
comment='Comment')
e.populate(**kwargs)
e.put()
if commit:
model.replicate_auth_db()
def group(self, name, members=None, globs=None, nested=None, owners=None):
self.groups.append(
model.AuthGroup(
key=model.group_key(name),
members=[
model.Identity.from_bytes(m) for m in (members or [])
],
globs=[
model.IdentityGlob.from_bytes(g) for g in (globs or [])
],
nested=nested or [],
owners=owners or 'default-owners-group',
))
return self
def test_list_group(self):
list_group = (lambda groups, group, recursive: api.AuthDB(
groups=groups).list_group(group, recursive))
grp_1 = model.AuthGroup(id='1')
grp_1.members.extend([
model.Identity(model.IDENTITY_USER, '*****@*****.**'),
model.Identity(model.IDENTITY_USER, '*****@*****.**'),
])
grp_2 = model.AuthGroup(id='2')
grp_2.nested.append('1')
grp_2.members.extend([
# Specify 'b' again, even though it's in a nested group.
model.Identity(model.IDENTITY_USER, '*****@*****.**'),
model.Identity(model.IDENTITY_USER, '*****@*****.**'),
])
# Unknown group.
self.assertEqual(set(), list_group([grp_1, grp_2], 'blah', False))
self.assertEqual(set(), list_group([grp_1, grp_2], 'blah', True))
# Non recursive.
expected = set([
model.Identity(model.IDENTITY_USER, '*****@*****.**'),
model.Identity(model.IDENTITY_USER, '*****@*****.**'),
])
self.assertEqual(expected, list_group([grp_1, grp_2], '2', False))
# Recursive.
expected = set([
model.Identity(model.IDENTITY_USER, '*****@*****.**'),
model.Identity(model.IDENTITY_USER, '*****@*****.**'),
model.Identity(model.IDENTITY_USER, '*****@*****.**'),
])
self.assertEqual(expected, list_group([grp_1, grp_2], '2', True))
def test_group_serialization(self):
"""Serializing snapshot with non-trivial AuthGroup."""
group = model.AuthGroup(
key=model.group_key('some-group'),
members=[
model.Identity.from_bytes('user:[email protected]'),
model.Identity.from_bytes('user:[email protected]'),
],
globs=[model.IdentityGlob.from_bytes('user:*@example.com')],
nested=['Group A', 'Group B'],
description='Blah blah blah',
created_ts=utils.utcnow(),
created_by=model.Identity.from_bytes('user:[email protected]'),
modified_ts=utils.utcnow(),
modified_by=model.Identity.from_bytes('user:[email protected]'),
)
snapshot = make_snapshot_obj(groups=[group])
self.assert_serialization_works(snapshot)
def test_subtoken_audience(self):
auth_db = api.AuthDB(groups=[
model.AuthGroup(
id='abc',
members=[model.Identity.from_bytes('user:[email protected]')],
)
])
tok = fake_subtoken_proto('user:[email protected]',
audience=['user:[email protected]', 'group:abc'])
# Works.
make_id = model.Identity.from_bytes
self.assertTrue(
delegation.check_subtoken(tok, make_id('user:[email protected]'), auth_db))
self.assertTrue(
delegation.check_subtoken(tok, make_id('user:[email protected]'), auth_db))
# Other ids are rejected.
with self.assertRaises(delegation.BadTokenError):
delegation.check_subtoken(tok, make_id('user:[email protected]'), auth_db)
def add_group(self, group, identities):
model.AuthGroup(key=model.group_key(group),
members=[
model.Identity.from_bytes(identity)
for identity in identities
]).put()
def test_fetch_auth_db(self):
# Client IDs callback. Disable config.ensure_configured() since it overrides
# _additional_client_ids_cb after we mock it.
self.mock(config, 'ensure_configured', lambda: None)
self.mock(api, '_additional_client_ids_cb',
lambda: ['', 'cb_client_id'])
self.mock(api, 'get_web_client_id', lambda: 'web_client_id')
# Create AuthGlobalConfig.
global_config = model.AuthGlobalConfig(key=model.root_key())
global_config.oauth_client_id = '1'
global_config.oauth_client_secret = 'secret'
global_config.oauth_additional_client_ids = ['2', '3']
global_config.put()
# Create a bunch of (empty) groups.
groups = [
model.AuthGroup(key=model.group_key('Group A')),
model.AuthGroup(key=model.group_key('Group B')),
]
for group in groups:
group.put()
# And a bunch of secrets.
secrets = [
model.AuthSecret.bootstrap('local%d' % i) for i in (0, 1, 2)
]
# And IP whitelist.
ip_whitelist_assignments = model.AuthIPWhitelistAssignments(
key=model.ip_whitelist_assignments_key(),
assignments=[
model.AuthIPWhitelistAssignments.Assignment(
identity=model.Anonymous,
ip_whitelist='some ip whitelist',
),
])
ip_whitelist_assignments.put()
some_ip_whitelist = model.AuthIPWhitelist(
key=model.ip_whitelist_key('some ip whitelist'),
subnets=['127.0.0.1/32'])
bots_ip_whitelist = model.AuthIPWhitelist(
key=model.ip_whitelist_key('bots'), subnets=['127.0.0.1/32'])
some_ip_whitelist.put()
bots_ip_whitelist.put()
# This all stuff should be fetched into AuthDB.
auth_db = api.fetch_auth_db()
self.assertEqual(global_config, auth_db.global_config)
self.assertEqual(set(g.key.id() for g in groups), set(auth_db.groups))
self.assertEqual(set(s.key.id() for s in secrets),
set(auth_db.secrets))
self.assertEqual(ip_whitelist_assignments,
auth_db.ip_whitelist_assignments)
self.assertEqual(
{
'bots': bots_ip_whitelist,
'some ip whitelist': some_ip_whitelist
}, auth_db.ip_whitelists)
self.assertTrue(auth_db.is_allowed_oauth_client_id('1'))
self.assertTrue(auth_db.is_allowed_oauth_client_id('cb_client_id'))
self.assertTrue(auth_db.is_allowed_oauth_client_id('web_client_id'))
self.assertFalse(auth_db.is_allowed_oauth_client_id(''))
def test_non_empty(self):
self.mock_now(datetime.datetime(2014, 1, 1, 1, 1, 1))
state = model.AuthReplicationState(key=model.replication_state_key(),
primary_id='blah',
primary_url='https://blah',
auth_db_rev=123)
state.put()
global_config = model.AuthGlobalConfig(
key=model.root_key(),
modified_ts=utils.utcnow(),
modified_by=model.Identity.from_bytes('user:[email protected]'),
oauth_client_id='oauth_client_id',
oauth_client_secret='oauth_client_secret',
oauth_additional_client_ids=['a', 'b'],
token_server_url='https://token-server',
security_config='security config blob')
global_config.put()
group = model.AuthGroup(
key=model.group_key('Some group'),
members=[model.Identity.from_bytes('user:[email protected]')],
globs=[model.IdentityGlob.from_bytes('user:*@example.com')],
nested=[],
description='Some description',
owners='owning-group',
created_ts=utils.utcnow(),
created_by=model.Identity.from_bytes('user:[email protected]'),
modified_ts=utils.utcnow(),
modified_by=model.Identity.from_bytes('user:[email protected]'))
group.put()
another = model.AuthGroup(key=model.group_key('Another group'),
nested=['Some group'])
another.put()
ip_whitelist = model.AuthIPWhitelist(
key=model.ip_whitelist_key('bots'),
subnets=['127.0.0.1/32'],
description='Some description',
created_ts=utils.utcnow(),
created_by=model.Identity.from_bytes('user:[email protected]'),
modified_ts=utils.utcnow(),
modified_by=model.Identity.from_bytes('user:[email protected]'))
ip_whitelist.put()
ip_whitelist_assignments = model.AuthIPWhitelistAssignments(
key=model.ip_whitelist_assignments_key(),
modified_ts=utils.utcnow(),
modified_by=model.Identity.from_bytes('user:[email protected]'),
assignments=[
model.AuthIPWhitelistAssignments.Assignment(
identity=model.Identity.from_bytes(
'user:[email protected]'),
ip_whitelist='bots',
comment='some comment',
created_ts=utils.utcnow(),
created_by=model.Identity.from_bytes(
'user:[email protected]')),
])
ip_whitelist_assignments.put()
realms_globals = model.AuthRealmsGlobals(
key=model.realms_globals_key(),
permissions=[
realms_pb2.Permission(name='luci.dev.p1'),
realms_pb2.Permission(name='luci.dev.p2'),
])
realms_globals.put()
model.AuthProjectRealms(key=model.project_realms_key('proj_id1'),
realms=realms_pb2.Realms(api_version=1234),
config_rev='rev1',
perms_rev='rev1').put()
model.AuthProjectRealms(key=model.project_realms_key('proj_id2'),
realms=realms_pb2.Realms(api_version=1234),
config_rev='rev2',
perms_rev='rev2').put()
captured_state, snapshot = replication.new_auth_db_snapshot()
expected_state = {
'auth_db_rev': 123,
'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1),
'primary_id': u'blah',
'primary_url': u'https://blah',
'shard_ids': [],
}
self.assertEqual(expected_state, captured_state.to_dict())
expected_snapshot = {
'global_config': {
'__id__':
'root',
'__parent__':
None,
'auth_db_rev':
None,
'auth_db_prev_rev':
None,
'modified_by':
model.Identity(kind='user', name='*****@*****.**'),
'modified_ts':
datetime.datetime(2014, 1, 1, 1, 1, 1),
'oauth_additional_client_ids': [u'a', u'b'],
'oauth_client_id':
u'oauth_client_id',
'oauth_client_secret':
u'oauth_client_secret',
'security_config':
'security config blob',
'token_server_url':
u'https://token-server',
},
'groups': [
{
'__id__': 'Another group',
'__parent__': ndb.Key('AuthGlobalConfig', 'root'),
'auth_db_rev': None,
'auth_db_prev_rev': None,
'created_by': None,
'created_ts': None,
'description': u'',
'globs': [],
'members': [],
'modified_by': None,
'modified_ts': None,
'nested': [u'Some group'],
'owners': u'administrators',
},
{
'__id__':
'Some group',
'__parent__':
ndb.Key('AuthGlobalConfig', 'root'),
'auth_db_rev':
None,
'auth_db_prev_rev':
None,
'created_by':
model.Identity(kind='user', name='*****@*****.**'),
'created_ts':
datetime.datetime(2014, 1, 1, 1, 1, 1),
'description':
u'Some description',
'globs':
[model.IdentityGlob(kind='user', pattern='*@example.com')],
'members':
[model.Identity(kind='user', name='*****@*****.**')],
'modified_by':
model.Identity(kind='user', name='*****@*****.**'),
'modified_ts':
datetime.datetime(2014, 1, 1, 1, 1, 1),
'nested': [],
'owners':
u'owning-group',
},
],
'ip_whitelists': [
{
'__id__':
'bots',
'__parent__':
ndb.Key('AuthGlobalConfig', 'root'),
'auth_db_rev':
None,
'auth_db_prev_rev':
None,
'created_by':
model.Identity(kind='user', name='*****@*****.**'),
'created_ts':
datetime.datetime(2014, 1, 1, 1, 1, 1),
'description':
u'Some description',
'modified_by':
model.Identity(kind='user', name='*****@*****.**'),
'modified_ts':
datetime.datetime(2014, 1, 1, 1, 1, 1),
'subnets': [u'127.0.0.1/32'],
},
],
'ip_whitelist_assignments': {
'__id__':
'default',
'__parent__':
ndb.Key('AuthGlobalConfig', 'root'),
'assignments': [
{
'comment':
u'some comment',
'created_by':
model.Identity(kind='user',
name='*****@*****.**'),
'created_ts':
datetime.datetime(2014, 1, 1, 1, 1, 1),
'identity':
model.Identity(kind='user',
name='*****@*****.**'),
'ip_whitelist':
u'bots',
},
],
'auth_db_rev':
None,
'auth_db_prev_rev':
None,
'modified_by':
model.Identity(kind='user', name='*****@*****.**'),
'modified_ts':
datetime.datetime(2014, 1, 1, 1, 1, 1),
},
'realms_globals': {
'__id__':
'globals',
'__parent__':
ndb.Key('AuthGlobalConfig', 'root'),
'auth_db_prev_rev':
None,
'auth_db_rev':
None,
'modified_by':
None,
'modified_ts':
None,
'permissions': [
realms_pb2.Permission(name='luci.dev.p1'),
realms_pb2.Permission(name='luci.dev.p2'),
],
},
'project_realms': [{
'__id__':
'proj_id1',
'__parent__':
ndb.Key('AuthGlobalConfig', 'root'),
'auth_db_prev_rev':
None,
'auth_db_rev':
None,
'config_rev':
u'rev1',
'perms_rev':
u'rev1',
'modified_by':
None,
'modified_ts':
None,
'realms':
realms_pb2.Realms(api_version=1234),
}, {
'__id__':
'proj_id2',
'__parent__':
ndb.Key('AuthGlobalConfig', 'root'),
'auth_db_prev_rev':
None,
'auth_db_rev':
None,
'config_rev':
u'rev2',
'perms_rev':
u'rev2',
'modified_by':
None,
'modified_ts':
None,
'realms':
realms_pb2.Realms(api_version=1234),
}],
}
self.assertEqual(expected_snapshot, snapshot_to_dict(snapshot))
def test_non_empty(self):
self.mock_now(datetime.datetime(2014, 1, 1, 1, 1, 1))
state = model.AuthReplicationState(
key=model.replication_state_key(),
primary_id='blah',
primary_url='https://blah',
auth_db_rev=123)
state.put()
global_config = model.AuthGlobalConfig(
key=model.root_key(),
modified_ts=utils.utcnow(),
modified_by=model.Identity.from_bytes('user:[email protected]'),
oauth_client_id='oauth_client_id',
oauth_client_secret='oauth_client_secret',
oauth_additional_client_ids=['a', 'b'])
global_config.put()
group = model.AuthGroup(
key=model.group_key('Some group'),
members=[model.Identity.from_bytes('user:[email protected]')],
globs=[model.IdentityGlob.from_bytes('user:*@example.com')],
nested=[],
description='Some description',
owners='owning-group',
created_ts=utils.utcnow(),
created_by=model.Identity.from_bytes('user:[email protected]'),
modified_ts=utils.utcnow(),
modified_by=model.Identity.from_bytes('user:[email protected]'))
group.put()
another = model.AuthGroup(
key=model.group_key('Another group'),
nested=['Some group'])
another.put()
global_secret = model.AuthSecret(
id='global_secret',
parent=model.secret_scope_key('global'),
values=['1234', '5678'],
modified_ts=utils.utcnow(),
modified_by=model.Identity.from_bytes('user:[email protected]'))
global_secret.put()
# Local secret should not appear in a snapshot.
local_secret = model.AuthSecret(
id='local_secret',
parent=model.secret_scope_key('local'),
values=['1234', '5678'],
modified_ts=utils.utcnow(),
modified_by=model.Identity.from_bytes('user:[email protected]'))
local_secret.put()
ip_whitelist = model.AuthIPWhitelist(
key=model.ip_whitelist_key('bots'),
subnets=['127.0.0.1/32'],
description='Some description',
created_ts=utils.utcnow(),
created_by=model.Identity.from_bytes('user:[email protected]'),
modified_ts=utils.utcnow(),
modified_by=model.Identity.from_bytes('user:[email protected]'))
ip_whitelist.put()
ip_whitelist_assignments = model.AuthIPWhitelistAssignments(
key=model.ip_whitelist_assignments_key(),
modified_ts=utils.utcnow(),
modified_by=model.Identity.from_bytes('user:[email protected]'),
assignments=[
model.AuthIPWhitelistAssignments.Assignment(
identity=model.Identity.from_bytes('user:[email protected]'),
ip_whitelist='bots',
comment='some comment',
created_ts=utils.utcnow(),
created_by=model.Identity.from_bytes('user:[email protected]')),
])
ip_whitelist_assignments.put()
captured_state, snapshot = replication.new_auth_db_snapshot()
expected_state = {
'auth_db_rev': 123,
'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1),
'primary_id': u'blah',
'primary_url': u'https://blah',
}
self.assertEqual(expected_state, captured_state.to_dict())
expected_snapshot = {
'global_config': {
'__id__': 'root',
'__parent__': None,
'auth_db_rev': None,
'auth_db_prev_rev': None,
'modified_by': model.Identity(kind='user', name='*****@*****.**'),
'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1),
'oauth_additional_client_ids': [u'a', u'b'],
'oauth_client_id': u'oauth_client_id',
'oauth_client_secret': u'oauth_client_secret',
},
'groups': [
{
'__id__': 'Another group',
'__parent__': ndb.Key('AuthGlobalConfig', 'root'),
'auth_db_rev': None,
'auth_db_prev_rev': None,
'created_by': None,
'created_ts': None,
'description': u'',
'globs': [],
'members': [],
'modified_by': None,
'modified_ts': None,
'nested': [u'Some group'],
'owners': u'administrators',
},
{
'__id__': 'Some group',
'__parent__': ndb.Key('AuthGlobalConfig', 'root'),
'auth_db_rev': None,
'auth_db_prev_rev': None,
'created_by': model.Identity(kind='user', name='*****@*****.**'),
'created_ts': datetime.datetime(2014, 1, 1, 1, 1, 1),
'description': u'Some description',
'globs': [model.IdentityGlob(kind='user', pattern='*@example.com')],
'members': [model.Identity(kind='user', name='*****@*****.**')],
'modified_by': model.Identity(
kind='user', name='*****@*****.**'),
'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1),
'nested': [],
'owners': u'owning-group',
},
],
'secrets': [
{
'__id__': 'global_secret',
'__parent__': ndb.Key(
'AuthGlobalConfig', 'root', 'AuthSecretScope', 'global'),
'modified_by': model.Identity(
kind='user', name='*****@*****.**'),
'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1),
'values': ['1234', '5678'],
},
],
'ip_whitelists': [
{
'__id__': 'bots',
'__parent__': ndb.Key('AuthGlobalConfig', 'root'),
'auth_db_rev': None,
'auth_db_prev_rev': None,
'created_by': model.Identity(kind='user', name='*****@*****.**'),
'created_ts': datetime.datetime(2014, 1, 1, 1, 1, 1),
'description': u'Some description',
'modified_by': model.Identity(
kind='user', name='*****@*****.**'),
'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1),
'subnets': [u'127.0.0.1/32'],
},
],
'ip_whitelist_assignments': {
'__id__': 'default',
'__parent__': ndb.Key('AuthGlobalConfig', 'root'),
'assignments': [
{
'comment': u'some comment',
'created_by': model.Identity(
kind='user', name='*****@*****.**'),
'created_ts': datetime.datetime(2014, 1, 1, 1, 1, 1),
'identity': model.Identity(
kind='user', name='*****@*****.**'),
'ip_whitelist': u'bots',
},
],
'auth_db_rev': None,
'auth_db_prev_rev': None,
'modified_by': model.Identity(kind='user', name='*****@*****.**'),
'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1),
},
}
self.assertEqual(expected_snapshot, snapshot_to_dict(snapshot))
def group(name, **kwargs):
return model.AuthGroup(
key=model.group_key(name),
created_ts=utils.utcnow(),
modified_ts=utils.utcnow(),
**kwargs)
def test_list_group(self):
def list_group(groups, group, recursive):
l = api.AuthDB(groups=groups).list_group(group, recursive)
return api.GroupListing(sorted(l.members), sorted(l.globs),
sorted(l.nested))
grp_1 = model.AuthGroup(id='1')
grp_1.members.extend([
model.Identity(model.IDENTITY_USER, '*****@*****.**'),
model.Identity(model.IDENTITY_USER, '*****@*****.**'),
])
grp_1.globs.extend([
model.IdentityGlob(model.IDENTITY_USER, '*@a.example.com'),
model.IdentityGlob(model.IDENTITY_USER, '*@b.example.com'),
])
grp_2 = model.AuthGroup(id='2')
grp_2.nested.append('1')
grp_2.members.extend([
# Specify 'b' again, even though it's in a nested group.
model.Identity(model.IDENTITY_USER, '*****@*****.**'),
model.Identity(model.IDENTITY_USER, '*****@*****.**'),
])
grp_2.globs.extend([
# Specify '*@b.example.com' again, even though it's in a nested group.
model.IdentityGlob(model.IDENTITY_USER, '*@b.example.com'),
model.IdentityGlob(model.IDENTITY_USER, '*@c.example.com'),
])
# Unknown group.
empty = api.GroupListing([], [], [])
self.assertEqual(empty, list_group([grp_1, grp_2], 'blah', False))
self.assertEqual(empty, list_group([grp_1, grp_2], 'blah', True))
# Non recursive.
expected = api.GroupListing(
members=[
model.Identity(model.IDENTITY_USER, '*****@*****.**'),
model.Identity(model.IDENTITY_USER, '*****@*****.**'),
],
globs=[
model.IdentityGlob(model.IDENTITY_USER, '*@b.example.com'),
model.IdentityGlob(model.IDENTITY_USER, '*@c.example.com'),
],
nested=['1'])
self.assertEqual(expected, list_group([grp_1, grp_2], '2', False))
# Recursive.
expected = api.GroupListing(
members=[
model.Identity(model.IDENTITY_USER, '*****@*****.**'),
model.Identity(model.IDENTITY_USER, '*****@*****.**'),
model.Identity(model.IDENTITY_USER, '*****@*****.**'),
],
globs=[
model.IdentityGlob(model.IDENTITY_USER, '*@a.example.com'),
model.IdentityGlob(model.IDENTITY_USER, '*@b.example.com'),
model.IdentityGlob(model.IDENTITY_USER, '*@c.example.com'),
],
nested=['1'])
self.assertEqual(expected, list_group([grp_1, grp_2], '2', True))
def group(name, **kwargs):
return model.AuthGroup(key=model.group_key(name), **kwargs)
