def test_service_account_fe_disable(session, standard_graph, http_client, base_url): graph = standard_graph admin = "*****@*****.**" owner = "*****@*****.**" plebe = "*****@*****.**" # Unrelated people cannot disable the service account. fe_url = url(base_url, "/groups/security-team/service/[email protected]/disable") with pytest.raises(HTTPError): yield http_client.fetch(fe_url, method="POST", headers={"X-Grouper-User": plebe}, body=urlencode({})) # Group members can disable the service account. resp = yield http_client.fetch(fe_url, method="POST", headers={"X-Grouper-User": owner}, body=urlencode({})) assert resp.code == 200 graph.update_from_db(session) metadata = graph.user_metadata["*****@*****.**"] assert not metadata["enabled"] group_details = graph.get_group_details("team-sre") assert "service_accounts" not in group_details # The group owner cannot enable the account, since the group ownership has been lost fe_url = url(base_url, "/service/[email protected]/enable") with pytest.raises(HTTPError): yield http_client.fetch(fe_url, method="POST", headers={"X-Grouper-User": owner}, body=urlencode({"owner": "team-sre"})) # A global admin can enable the account. resp = yield http_client.fetch(fe_url, method="POST", headers={"X-Grouper-User": admin}, body=urlencode({"owner": "team-sre"})) assert resp.code == 200 graph.update_from_db(session) metadata = graph.user_metadata["*****@*****.**"] assert metadata["enabled"] assert metadata["service_account"]["owner"] == "team-sre" group_details = graph.get_group_details("team-sre") assert group_details["service_accounts"] == ["*****@*****.**"] # And can also disable the account even though they're not a member of the group. fe_url = url(base_url, "/groups/security-team/service/[email protected]/disable") resp = yield http_client.fetch(fe_url, method="POST", headers={"X-Grouper-User": admin}, body=urlencode({})) assert resp.code == 200 graph.update_from_db(session) metadata = graph.user_metadata["*****@*****.**"] assert not metadata["enabled"]
def test_group_audited(standard_graph, session, groups, permissions): # noqa """ Ensure that the audited flag gets set appropriate only groups and inherited down the graph. """ graph = standard_graph # noqa assert not graph.get_group_details("security-team")["audited"] assert graph.get_group_details("serving-team")["audited"] assert graph.get_group_details("team-sre")["audited"]
def test_graph_edit_role(session, graph, standard_graph, groups, users): """Test that membership role changes are refected in the graph.""" username = "******" user_role = graph.get_group_details("tech-ops")["users"][username]["rolename"] assert user_role == "np-owner" groups["tech-ops"].edit_member(users["*****@*****.**"], users[username], "a reason", role="owner") graph.update_from_db(session) user_role = graph.get_group_details("tech-ops")["users"][username]["rolename"] assert user_role == "owner"
def test_service_accounts(session, standard_graph, users, groups, permissions): graph = standard_graph # Create a service account. service_account = ServiceAccount.get(session, name="*****@*****.**") assert service_account.description == "some service account" assert service_account.machine_set == "some machines" assert service_account.user.name == "*****@*****.**" assert service_account.user.enabled == True assert service_account.user.is_service_account == True service_accounts = get_service_accounts(session, groups["team-sre"]) assert len(service_accounts) == 1 assert service_accounts[0].user.name == "*****@*****.**" assert is_service_account(session, service_account.user) # Duplicates should raise an exception. with pytest.raises(DuplicateServiceAccount): create_service_account(session, users["*****@*****.**"], "*****@*****.**", "dup", "dup", groups["team-sre"]) # zorkian should be able to manage the account, as should gary, but oliver (not a member of the # group) should not. assert can_manage_service_account(session, service_account, users["*****@*****.**"]) assert can_manage_service_account(session, service_account, users["*****@*****.**"]) assert not can_manage_service_account(session, service_account, users["*****@*****.**"]) # Check that the user appears in the graph. graph.update_from_db(session) metadata = graph.user_metadata["*****@*****.**"] assert metadata["enabled"] assert metadata["service_account"]["description"] == "some service account" assert metadata["service_account"]["machine_set"] == "some machines" assert metadata["service_account"]["owner"] == "team-sre" group_details = graph.get_group_details("team-sre") assert group_details["service_accounts"] == ["*****@*****.**"] # Grant a permission to the service account and check it in the graph. grant_permission_to_service_account(session, service_account, permissions["team-sre"], "*") graph.update_from_db(session) user_details = graph.get_user_details("*****@*****.**") assert user_details["permissions"][0]["permission"] == "team-sre" assert user_details["permissions"][0]["argument"] == "*" # Diabling the service account should remove the link to the group. disable_service_account(session, users["*****@*****.**"], service_account) assert service_account.user.enabled == False assert get_service_accounts(session, groups["team-sre"]) == [] # The user should also be gone from the graph and have its permissions removed. graph.update_from_db(session) group_details = graph.get_group_details("team-sre") assert "service_accounts" not in group_details metadata = graph.user_metadata["*****@*****.**"] assert not metadata["enabled"] assert "owner" not in metadata["service_account"] user_details = graph.get_user_details("*****@*****.**") assert user_details["permissions"] == [] # We can re-enable and attach to a different group. new_group = groups["security-team"] enable_service_account(session, users["*****@*****.**"], service_account, new_group) assert service_account.user.enabled == True assert get_service_accounts(session, groups["team-sre"]) == [] service_accounts = get_service_accounts(session, new_group) assert len(service_accounts) == 1 assert service_accounts[0].user.name == "*****@*****.**" # Check that this is reflected in the graph and the user has no permissions. graph.update_from_db(session) group_details = graph.get_group_details("security-team") assert group_details["service_accounts"] == ["*****@*****.**"] metadata = graph.user_metadata["*****@*****.**"] assert metadata["service_account"]["owner"] == "security-team" user_details = graph.get_user_details("*****@*****.**") assert user_details["permissions"] == []
def test_expire_nonauditors(standard_graph, users, groups, session, permissions): """ Test expiration auditing and notification. """ graph = standard_graph # noqa # Test audit autoexpiration for all approvers approver_roles = ["owner", "np-owner", "manager"] for role in approver_roles: # Add non-auditor as an owner to an audited group add_member(groups["audited-team"], users["*****@*****.**"], role=role) session.commit() graph.update_from_db(session) group_md = graph.get_group_details("audited-team") assert group_md.get('audited', False) # Expire the edges. background = BackgroundProcessor(settings, None) background.expire_nonauditors(session) # Check that the edges are now marked as inactive. edge = session.query(GroupEdge).filter_by(group_id=groups["audited-team"].id, member_pk=users["*****@*****.**"].id).scalar() assert edge.expiration is not None assert edge.expiration < datetime.utcnow() + timedelta(days=settings.nonauditor_expiration_days) assert edge.expiration > datetime.utcnow() + timedelta(days=settings.nonauditor_expiration_days - 1) assert any(["Subject: Membership in audited-team set to expire" in email.body and "To: [email protected]" in email.body for email in _get_unsent_emails_and_send(session)]) audits = AuditLog.get_entries(session, action="nonauditor_flagged") assert len(audits) == 3 + 1 * (approver_roles.index(role) + 1) revoke_member(groups["audited-team"], users["*****@*****.**"]) # Ensure nonauditor, nonapprovers in audited groups do not get set to expired member_roles = ["member"] for role in member_roles: # Add non-auditor as an owner to an audited group add_member(groups["audited-team"], users["*****@*****.**"], role=role) session.commit() graph.update_from_db(session) group_md = graph.get_group_details("audited-team") assert group_md.get('audited', False) # Expire the edges. background = BackgroundProcessor(settings, None) background.expire_nonauditors(session) # Check that the edges are now marked as inactive. edge = session.query(GroupEdge).filter_by(group_id=groups["audited-team"].id, member_pk=users["*****@*****.**"].id).scalar() assert edge.expiration is None assert not any(["Subject: Membership in audited-team set to expire" in email.body and "To: [email protected]" in email.body for email in _get_unsent_emails_and_send(session)]) audits = AuditLog.get_entries(session, action="nonauditor_flagged") assert len(audits) == 3 + 1 * len(approver_roles) revoke_member(groups["audited-team"], users["*****@*****.**"])
def test_expire_nonauditors(standard_graph, users, groups, session, permissions): """ Test expiration auditing and notification. """ graph = standard_graph # noqa # Test audit autoexpiration for all approvers approver_roles = ["owner", "np-owner", "manager"] for role in approver_roles: # Add non-auditor as an owner to an audited group add_member(groups["audited-team"], users["*****@*****.**"], role=role) session.commit() graph.update_from_db(session) group_md = graph.get_group_details("audited-team") assert group_md.get('audited', False) # Expire the edges. background = BackgroundThread(settings, None) background.expire_nonauditors(session) # Check that the edges are now marked as inactive. edge = session.query(GroupEdge).filter_by(group_id=groups["audited-team"].id, member_pk=users["*****@*****.**"].id).scalar() assert edge.expiration is not None assert edge.expiration < datetime.utcnow() + timedelta(days=settings.nonauditor_expiration_days) assert edge.expiration > datetime.utcnow() + timedelta(days=settings.nonauditor_expiration_days - 1) assert any(["Subject: Membership in audited-team set to expire" in email.body and "To: [email protected]" in email.body for email in _get_unsent_emails_and_send(session)]) audits = AuditLog.get_entries(session, action="nonauditor_flagged") assert len(audits) == 3 + 1 * (approver_roles.index(role) + 1) revoke_member(groups["audited-team"], users["*****@*****.**"]) # Ensure nonauditor, nonapprovers in audited groups do not get set to expired member_roles = ["member"] for role in member_roles: # Add non-auditor as an owner to an audited group add_member(groups["audited-team"], users["*****@*****.**"], role=role) session.commit() graph.update_from_db(session) group_md = graph.get_group_details("audited-team") assert group_md.get('audited', False) # Expire the edges. background = BackgroundThread(settings, None) background.expire_nonauditors(session) # Check that the edges are now marked as inactive. edge = session.query(GroupEdge).filter_by(group_id=groups["audited-team"].id, member_pk=users["*****@*****.**"].id).scalar() assert edge.expiration is None assert not any(["Subject: Membership in audited-team set to expire" in email.body and "To: [email protected]" in email.body for email in _get_unsent_emails_and_send(session)]) audits = AuditLog.get_entries(session, action="nonauditor_flagged") assert len(audits) == 3 + 1 * len(approver_roles) revoke_member(groups["audited-team"], users["*****@*****.**"])