def grantable_permissions(session, standard_graph): perm_grant, _ = Permission.get_or_create(session, name=PERMISSION_GRANT, description="") perm0, _ = Permission.get_or_create(session, name="grantable", description="") perm1, _ = Permission.get_or_create(session, name="grantable.one", description="") perm2, _ = Permission.get_or_create(session, name="grantable.two", description="") session.commit() return perm_grant, perm0, perm1, perm2
def permissions(session): permissions = { permission: Permission.get_or_create( session, name=permission, description="{} permission".format(permission))[0] for permission in ("ssh", "sudo") } session.commit() return permissions
def permissions(session): permissions = { permission: Permission.get_or_create( session, name=permission, description="{} permission".format(permission))[0] for permission in ("ssh", "sudo", "audited", PERMISSION_AUDITOR) } permissions["audited"].enable_auditing() session.commit() return permissions
def permissions(session): permissions = { permission: Permission.get_or_create( session, name=permission, description="{} permission".format(permission))[0] for permission in ("ssh", "sudo", "audited", PERMISSION_AUDITOR) } permissions["audited"].enable_auditing() session.commit() return permissions
def test_permission_grant_to_owners(session, standard_graph, groups, grantable_permissions): """Test we're getting correct owners according to granted 'grouper.permission.grant' permissions.""" perm_grant, _, perm1, perm2 = grantable_permissions assert not get_owners_by_grantable_permission(session), 'nothing to begin with' # grant a grant on a non-existent permission grant_permission(groups["auditors"], perm_grant, argument="notgrantable.one") assert not get_owners_by_grantable_permission(session), 'ignore grants for non-existent perms' # grant a wildcard grant -- make sure all permissions are represented and # the grant isn't inherited grant_permission(groups["all-teams"], perm_grant, argument="grantable.*") owners_by_arg_by_perm = get_owners_by_grantable_permission(session) expected = [groups['all-teams']] assert owners_by_arg_by_perm[perm1.name]['*'] == expected, 'grants are not inherited' assert len(owners_by_arg_by_perm) == 2 assert len(owners_by_arg_by_perm[perm1.name]) == 1 assert len(owners_by_arg_by_perm[perm2.name]) == 1 # grant on argument substring grant_permission(groups["team-sre"], perm_grant, argument="{}/somesubstring*".format( perm1.name)) owners_by_arg_by_perm = get_owners_by_grantable_permission(session) expected = [groups['all-teams']] assert owners_by_arg_by_perm[perm1.name]['*'] == expected expected = [groups["team-sre"]] assert owners_by_arg_by_perm[perm1.name]['somesubstring*'] == expected # make sure get_owner() respect substrings res = [o for o, a in get_owner_arg_list(session, perm1, "somesubstring", owners_by_arg_by_perm=owners_by_arg_by_perm)] assert (sorted(res) == sorted([groups["all-teams"], groups["team-sre"]]), "should include substring wildcard matches") res = [o for o, a in get_owner_arg_list(session, perm1, "othersubstring", owners_by_arg_by_perm=owners_by_arg_by_perm)] assert sorted(res) == [groups["all-teams"]], "negative test of substring wildcard matches" # permission admins have all the power perm_admin, _ = Permission.get_or_create(session, name=PERMISSION_ADMIN, description="") session.commit() grant_permission(groups["security-team"], perm_admin) owners_by_arg_by_perm = get_owners_by_grantable_permission(session) all_permissions = Permission.get_all(session) for perm in all_permissions: assert perm.name in owners_by_arg_by_perm, 'all permission should be represented' assert groups["security-team"] in owners_by_arg_by_perm[perm.name]["*"], \ 'permission admin should be wildcard owners'
def user_admin_perm_to_auditors(session, groups): """Adds a USER_ADMIN permission to the "auditors" group""" user_admin_perm, is_new = Permission.get_or_create(session, name=USER_ADMIN, description="") session.commit() grant_permission(groups["auditors"], user_admin_perm)