def test_permission_grant_to_owners(session, standard_graph, groups, grantable_permissions):
"""Test we're getting correct owners according to granted
'grouper.permission.grant' permissions."""
perm_grant, _, perm1, perm2 = grantable_permissions
assert not get_owners_by_grantable_permission(session), "nothing to begin with"
# grant a grant on a non-existent permission
grant_permission(groups["auditors"], perm_grant, argument="notgrantable.one")
assert not get_owners_by_grantable_permission(session), "ignore grants for non-existent perms"
# grant a wildcard grant -- make sure all permissions are represented and
# the grant isn't inherited
grant_permission(groups["all-teams"], perm_grant, argument="grantable.*")
owners_by_arg_by_perm = get_owners_by_grantable_permission(session)
expected = [groups["all-teams"]]
assert owners_by_arg_by_perm[perm1.name]["*"] == expected, "grants are not inherited"
assert len(owners_by_arg_by_perm) == 2
assert len(owners_by_arg_by_perm[perm1.name]) == 1
assert len(owners_by_arg_by_perm[perm2.name]) == 1
# grant on argument substring
grant_permission(groups["team-sre"], perm_grant, argument="{}/somesubstring*".format(perm1.name))
owners_by_arg_by_perm = get_owners_by_grantable_permission(session)
expected = [groups["all-teams"]]
assert owners_by_arg_by_perm[perm1.name]["*"] == expected
expected = [groups["team-sre"]]
assert owners_by_arg_by_perm[perm1.name]["somesubstring*"] == expected
# make sure get_owner() respect substrings
res = [
o for o, a in get_owner_arg_list(session, perm1, "somesubstring", owners_by_arg_by_perm=owners_by_arg_by_perm)
]
assert (
sorted(res) == sorted([groups["all-teams"], groups["team-sre"]]),
"should include substring wildcard matches",
)
res = [
o for o, a in get_owner_arg_list(session, perm1, "othersubstring", owners_by_arg_by_perm=owners_by_arg_by_perm)
]
assert sorted(res) == [groups["all-teams"]], "negative test of substring wildcard matches"
# permission admins have all the power
perm_admin, _ = Permission.get_or_create(session, name=PERMISSION_ADMIN, description="")
session.commit()
grant_permission(groups["security-team"], perm_admin)
owners_by_arg_by_perm = get_owners_by_grantable_permission(session)
all_permissions = Permission.get_all(session)
for perm in all_permissions:
assert perm.name in owners_by_arg_by_perm, "all permission should be represented"
assert (
groups["security-team"] in owners_by_arg_by_perm[perm.name]["*"]
), "permission admin should be wildcard owners"
def get(self, request_id):
# check for request existence
request = permissions.get_request_by_id(self.session, request_id)
if not request:
return self.notfound()
# compile list of changes to this request
owners_by_arg_by_perm = permissions.get_owners_by_grantable_permission(
self.session, separate_global=True
)
change_comment_list = permissions.get_changes_by_request_id(self.session, request_id)
can_approve_request = permissions.can_approve_request(
self.session, request, self.current_user, owners_by_arg_by_perm=owners_by_arg_by_perm
)
approvers = []
if not can_approve_request:
owner_arg_list = permissions.get_owner_arg_list(
self.session, request.permission, request.argument
)
all_owners = {o.groupname for o, _ in owner_arg_list}
global_owners = {
o.groupname for o in owners_by_arg_by_perm[permissions.GLOBAL_OWNERS]['*']
}
non_global_owners = all_owners - global_owners
approvers = non_global_owners if len(non_global_owners) else all_owners
form = PermissionRequestUpdateForm(self.request.arguments)
form.status.choices = self._get_choices(request.status)
return self.render("permission-request-update.html", form=form, request=request,
change_comment_list=change_comment_list, statuses=REQUEST_STATUS_CHOICES,
can_approve_request=can_approve_request, approvers=approvers)
def get(self):
form = PermissionRequestsForm(self.request.arguments)
form.status.choices = [("", "")] + [(k, k)
for k in REQUEST_STATUS_CHOICES]
if not form.validate():
alerts = self.get_form_alerts(form.errors)
request_tuple = None
total = 0
granters_by_arg_by_perm = None
else:
alerts = []
owners_by_arg_by_perm = permissions.get_owners_by_grantable_permission(
self.session)
if form.direction.data == "Waiting my approval":
owner = self.current_user
requester = None
else: # "Requested by me"
owner = None
requester = self.current_user
request_tuple, total = permissions.get_requests(
self.session,
status=form.status.data,
limit=form.limit.data,
offset=form.offset.data,
owner=owner,
requester=requester,
owners_by_arg_by_perm=owners_by_arg_by_perm,
)
granters_by_arg_by_perm = defaultdict(dict)
for request in request_tuple.requests:
owners = permissions.get_owner_arg_list(
self.session,
request.permission,
request.argument,
owners_by_arg_by_perm=owners_by_arg_by_perm,
)
granters = [owner_pair[0].name for owner_pair in owners]
granters_by_arg_by_perm[request.permission.name][
request.argument] = granters
return self.render(
"permission-requests.html",
form=form,
request_tuple=request_tuple,
granters=granters_by_arg_by_perm,
alerts=alerts,
total=total,
statuses=REQUEST_STATUS_CHOICES,
)
def get(self):
form = PermissionRequestsForm(self.request.arguments)
form.status.choices = [("", "")] + [(k, k) for k in REQUEST_STATUS_CHOICES]
if not form.validate():
alerts = self.get_form_alerts(form.errors)
request_tuple = None
total = 0
granters_by_arg_by_perm = None
else:
alerts = []
owners_by_arg_by_perm = permissions.get_owners_by_grantable_permission(self.session)
if form.direction.data == "Waiting my approval":
owner = self.current_user
requester = None
else: # "Requested by me"
owner = None
requester = self.current_user
request_tuple, total = permissions.get_requests(
self.session,
status=form.status.data,
limit=form.limit.data,
offset=form.offset.data,
owner=owner,
requester=requester,
owners_by_arg_by_perm=owners_by_arg_by_perm,
)
granters_by_arg_by_perm = defaultdict(dict)
for request in request_tuple.requests:
owners = permissions.get_owner_arg_list(
self.session,
request.permission,
request.argument,
owners_by_arg_by_perm=owners_by_arg_by_perm,
)
granters = [owner_pair[0].name for owner_pair in owners]
granters_by_arg_by_perm[request.permission.name][request.argument] = granters
return self.render(
"permission-requests.html",
form=form,
request_tuple=request_tuple,
granters=granters_by_arg_by_perm,
alerts=alerts,
total=total,
statuses=REQUEST_STATUS_CHOICES,
)
def get(self, request_id):
# check for request existence
request = permissions.get_request_by_id(self.session, request_id)
if not request:
return self.notfound()
# compile list of changes to this request
owners_by_arg_by_perm = permissions.get_owners_by_grantable_permission(
self.session, separate_global=True)
change_comment_list = permissions.get_changes_by_request_id(
self.session, request_id)
can_approve_request = permissions.can_approve_request(
self.session,
request,
self.current_user,
owners_by_arg_by_perm=owners_by_arg_by_perm)
approvers = []
if not can_approve_request:
owner_arg_list = permissions.get_owner_arg_list(
self.session, request.permission, request.argument)
all_owners = {o.groupname for o, _ in owner_arg_list}
global_owners = {
o.groupname
for o in owners_by_arg_by_perm[permissions.GLOBAL_OWNERS]["*"]
}
non_global_owners = all_owners - global_owners
approvers = non_global_owners if len(
non_global_owners) else all_owners
form = PermissionRequestUpdateForm(self.request.arguments)
form.status.choices = self._get_choices(request.status)
return self.render(
"permission-request-update.html",
form=form,
request=request,
change_comment_list=change_comment_list,
statuses=REQUEST_STATUS_CHOICES,
can_approve_request=can_approve_request,
approvers=approvers,
)
def test_permission_grant_to_owners(
session,
standard_graph,
groups,
grantable_permissions,
permissions # noqa: F811
):
"""Test we're getting correct owners according to granted
'grouper.permission.grant' permissions."""
perm_grant, _, perm1, perm2 = grantable_permissions
# Disable the group with permission admin since otherwise they're an approver on everything,
# and check that there are then no approvers.
groups["permission-admins"].disable()
session.commit()
assert not get_owners_by_grantable_permission(
session), "nothing to begin with"
# grant a grant on a non-existent permission
grant_permission(groups["auditors"],
perm_grant,
argument="notgrantable.one")
assert not get_owners_by_grantable_permission(
session), "ignore grants for non-existent perms"
# grant a wildcard grant -- make sure all permissions are represented and
# the grant isn't inherited
grant_permission(groups["all-teams"], perm_grant, argument="grantable.*")
owners_by_arg_by_perm = get_owners_by_grantable_permission(session)
expected = [groups["all-teams"]]
assert owners_by_arg_by_perm[
perm1.name]["*"] == expected, "grants are not inherited"
assert len(owners_by_arg_by_perm) == 2
assert len(owners_by_arg_by_perm[perm1.name]) == 1
assert len(owners_by_arg_by_perm[perm2.name]) == 1
# grant on argument substring
grant_permission(groups["team-sre"],
perm_grant,
argument="{}/somesubstring*".format(perm1.name))
owners_by_arg_by_perm = get_owners_by_grantable_permission(session)
expected = [groups["all-teams"]]
assert owners_by_arg_by_perm[perm1.name]["*"] == expected
expected = [groups["team-sre"]]
assert owners_by_arg_by_perm[perm1.name]["somesubstring*"] == expected
# make sure get_owner() respect substrings
res = [
o.groupname for o, a in get_owner_arg_list(
session,
perm1,
"somesubstring",
owners_by_arg_by_perm=owners_by_arg_by_perm)
]
assert sorted(res) == ["all-teams", "team-sre"
], "should include substring wildcard matches"
res = [
o.groupname for o, a in get_owner_arg_list(
session,
perm1,
"othersubstring",
owners_by_arg_by_perm=owners_by_arg_by_perm)
]
assert sorted(res) == ["all-teams"
], "negative test of substring wildcard matches"
# permission admins have all the power
grant_permission(groups["security-team"], permissions[PERMISSION_ADMIN])
owners_by_arg_by_perm = get_owners_by_grantable_permission(session)
all_permissions = get_all_permissions(session)
for perm in all_permissions:
assert perm.name in owners_by_arg_by_perm, "all permission should be represented"
assert (groups["security-team"]
in owners_by_arg_by_perm[perm.name]["*"]
), "permission admin should be wildcard owners"
def test_permission_grant_to_owners(session, standard_graph, groups,
grantable_permissions):
"""Test we're getting correct owners according to granted
'grouper.permission.grant' permissions."""
perm_grant, _, perm1, perm2 = grantable_permissions
assert not get_owners_by_grantable_permission(
session), 'nothing to begin with'
# grant a grant on a non-existent permission
grant_permission(groups["auditors"],
perm_grant,
argument="notgrantable.one")
assert not get_owners_by_grantable_permission(
session), 'ignore grants for non-existent perms'
# grant a wildcard grant -- make sure all permissions are represented and
# the grant isn't inherited
grant_permission(groups["all-teams"], perm_grant, argument="grantable.*")
owners_by_arg_by_perm = get_owners_by_grantable_permission(session)
expected = [groups['all-teams']]
assert owners_by_arg_by_perm[
perm1.name]['*'] == expected, 'grants are not inherited'
assert len(owners_by_arg_by_perm) == 2
assert len(owners_by_arg_by_perm[perm1.name]) == 1
assert len(owners_by_arg_by_perm[perm2.name]) == 1
# grant on argument substring
grant_permission(groups["team-sre"],
perm_grant,
argument="{}/somesubstring*".format(perm1.name))
owners_by_arg_by_perm = get_owners_by_grantable_permission(session)
expected = [groups['all-teams']]
assert owners_by_arg_by_perm[perm1.name]['*'] == expected
expected = [groups["team-sre"]]
assert owners_by_arg_by_perm[perm1.name]['somesubstring*'] == expected
# make sure get_owner() respect substrings
res = [
o for o, a in get_owner_arg_list(
session,
perm1,
"somesubstring",
owners_by_arg_by_perm=owners_by_arg_by_perm)
]
assert sorted(res) == sorted([groups["all-teams"], groups["team-sre"]]), \
"should include substring wildcard matches"
res = [
o for o, a in get_owner_arg_list(
session,
perm1,
"othersubstring",
owners_by_arg_by_perm=owners_by_arg_by_perm)
]
assert sorted(res) == [groups["all-teams"]
], "negative test of substring wildcard matches"
# permission admins have all the power
perm_admin, _ = Permission.get_or_create(session,
name=PERMISSION_ADMIN,
description="")
session.commit()
grant_permission(groups["security-team"], perm_admin)
owners_by_arg_by_perm = get_owners_by_grantable_permission(session)
all_permissions = Permission.get_all(session)
for perm in all_permissions:
assert perm.name in owners_by_arg_by_perm, 'all permission should be represented'
assert groups["security-team"] in owners_by_arg_by_perm[perm.name]["*"], \
'permission admin should be wildcard owners'
def test_permission_grant_to_owners(
session, standard_graph, groups, grantable_permissions, permissions # noqa: F811
):
"""Test we're getting correct owners according to granted
'grouper.permission.grant' permissions."""
perm_grant, _, perm1, perm2 = grantable_permissions
# Disable the group with permission admin since otherwise they're an approver on everything,
# and check that there are then no approvers.
groups["permission-admins"].disable()
session.commit()
assert not get_owners_by_grantable_permission(session), "nothing to begin with"
# grant a grant on a non-existent permission
grant_permission(groups["auditors"], perm_grant, argument="notgrantable.one")
assert not get_owners_by_grantable_permission(session), "ignore grants for non-existent perms"
# grant a wildcard grant -- make sure all permissions are represented and
# the grant isn't inherited
grant_permission(groups["all-teams"], perm_grant, argument="grantable.*")
owners_by_arg_by_perm = get_owners_by_grantable_permission(session)
expected = [groups["all-teams"]]
assert owners_by_arg_by_perm[perm1.name]["*"] == expected, "grants are not inherited"
assert len(owners_by_arg_by_perm) == 2
assert len(owners_by_arg_by_perm[perm1.name]) == 1
assert len(owners_by_arg_by_perm[perm2.name]) == 1
# grant on argument substring
grant_permission(
groups["team-sre"], perm_grant, argument="{}/somesubstring*".format(perm1.name)
)
owners_by_arg_by_perm = get_owners_by_grantable_permission(session)
expected = [groups["all-teams"]]
assert owners_by_arg_by_perm[perm1.name]["*"] == expected
expected = [groups["team-sre"]]
assert owners_by_arg_by_perm[perm1.name]["somesubstring*"] == expected
# make sure get_owner() respect substrings
res = [
o.groupname
for o, a in get_owner_arg_list(
session, perm1, "somesubstring", owners_by_arg_by_perm=owners_by_arg_by_perm
)
]
assert sorted(res) == ["all-teams", "team-sre"], "should include substring wildcard matches"
res = [
o.groupname
for o, a in get_owner_arg_list(
session, perm1, "othersubstring", owners_by_arg_by_perm=owners_by_arg_by_perm
)
]
assert sorted(res) == ["all-teams"], "negative test of substring wildcard matches"
# permission admins have all the power
grant_permission(groups["security-team"], permissions[PERMISSION_ADMIN])
owners_by_arg_by_perm = get_owners_by_grantable_permission(session)
all_permissions = get_all_permissions(session)
for perm in all_permissions:
assert perm.name in owners_by_arg_by_perm, "all permission should be represented"
assert (
groups["security-team"] in owners_by_arg_by_perm[perm.name]["*"]
), "permission admin should be wildcard owners"
def test_exclude_disabled_permissions(
session, standard_graph, graph, users, groups, permissions # noqa: F811
):
"""
Ensure that disabled permissions are excluded from various
functions/methods that return data from the models.
"""
perm_ssh = get_permission(session, "ssh")
perm_grant = create_permission(session, PERMISSION_GRANT)
session.commit()
# this user has grouper.permission.grant with argument "ssh/*"
grant_permission(groups["group-admins"], perm_grant, argument="ssh/*")
graph.update_from_db(session)
grant_perms = [
x for x in user_permissions(session, users["*****@*****.**"]) if x.name == PERMISSION_GRANT
]
assert "ssh" == filter_grantable_permissions(session, grant_perms)[0][0].name
assert "ssh" in (p.name for p in get_all_permissions(session))
assert "ssh" in (p.name for p in get_all_permissions(session, include_disabled=False))
assert "ssh" in (p.name for p in get_all_permissions(session, include_disabled=True))
assert "ssh" in get_grantable_permissions(session, [])
assert "team-sre" in [g[0] for g in get_groups_by_permission(session, perm_ssh)]
assert get_owner_arg_list(session, perm_ssh, "*")
assert "ssh" in get_owners_by_grantable_permission(session)
assert "ssh" in (x[0].name for x in user_grantable_permissions(session, users["*****@*****.**"]))
assert user_has_permission(session, users["*****@*****.**"], "ssh")
assert "ssh" in (p.name for p in user_permissions(session, users["*****@*****.**"]))
assert "ssh" in (p["permission"] for p in graph.get_group_details("team-sre")["permissions"])
assert "ssh" in (pt.name for pt in graph.get_permissions())
assert "team-sre" in graph.get_permission_details("ssh")["groups"]
assert "ssh" in (p["permission"] for p in graph.get_user_details("*****@*****.**")["permissions"])
# now disable the ssh permission
disable_permission(session, "ssh", users["*****@*****.**"].id)
graph.update_from_db(session)
grant_perms = [
x for x in user_permissions(session, users["*****@*****.**"]) if x.name == PERMISSION_GRANT
]
assert not filter_grantable_permissions(session, grant_perms)
assert "ssh" not in (p.name for p in get_all_permissions(session))
assert "ssh" not in (p.name for p in get_all_permissions(session, include_disabled=False))
assert "ssh" in (p.name for p in get_all_permissions(session, include_disabled=True))
assert "ssh" not in get_grantable_permissions(session, [])
assert not get_groups_by_permission(session, perm_ssh)
assert not get_owner_arg_list(session, perm_ssh, "*")
assert "ssh" not in get_owners_by_grantable_permission(session)
assert "ssh" not in (
x[0].name for x in user_grantable_permissions(session, users["*****@*****.**"])
)
assert not user_has_permission(session, users["*****@*****.**"], "ssh")
assert "ssh" not in (p.name for p in user_permissions(session, users["*****@*****.**"]))
assert "ssh" not in (
p["permission"] for p in graph.get_group_details("team-sre")["permissions"]
)
assert "ssh" not in (pt.name for pt in graph.get_permissions())
assert not graph.get_permission_details("ssh")["groups"]
assert "ssh" not in (
p["permission"] for p in graph.get_user_details("*****@*****.**")["permissions"]
)