def test_real_mode(dev, psql):
from sh import ldap2pg
assert 'keepme' in psql.tables(dbname='olddb')
ldap2pg('-N', c='ldap2pg.yml')
# Workaround bug in Postgres: execute on functions to public persists
# revoke.
ldap2pg('-N', c='ldap2pg.yml')
roles = list(psql.roles())
writers = list(psql.members('writers'))
assert 'Alan' in roles
assert 'oscar' not in roles
assert 'ALICE' in psql.superusers()
assert 'daniel' in writers
assert 'david' in writers
assert 'didier' in writers
assert 'ALICE' in psql.members('ldap_roles')
# Assert that table keepme owned by deleted user spurious is not dropped!
assert 'keepme' in psql.tables(dbname='olddb')
assert 'keepme' in roles
def test_stdin(capsys):
from sh import ldap2pg
ldap2pg('--config=-', _in="- role: stdinuser", _env=ldapfree_env())
_, err = capsys.readouterr()
assert 'stdinuser' in err
def test_nothing_to_do(capsys, dev):
from sh import ldap2pg
ldap2pg('--real', config='ldap2pg.yml')
_, err = capsys.readouterr()
assert 'Nothing to do' in err
def test_dry_run(dev, ldap, psql):
from sh import ldap2pg
ldap2pg('--verbose', '--config', 'tests/func/ldap2pg.yml')
roles = list(psql.roles())
superusers = list(psql.superusers())
assert 'oscar' in roles
assert 'alice' in superusers
def test_sasl(capsys):
from sh import ldap2pg
env = dict(os.environ, LDAPUSER='******', LDAPPASSWORD='******')
ldap2pg(config='ldap2pg.yml', verbose=True, _env=env)
_, err = capsys.readouterr()
assert 'SASL' in err
def test_dry_run(dev, psql):
from sh import ldap2pg
ldap2pg('--verbose', config='ldap2pg.yml')
roles = list(psql.roles())
superusers = list(psql.superusers())
# oscar is not dropped
assert 'oscar' in roles
assert 'ALICE' in superusers
def test_sasl():
from sh import ldap2pg
env = dict(os.environ, LDAPUSER='******', LDAPPASSWORD='******')
out = ldap2pg(config='ldap2pg.yml', verbose=True, _env=env)
assert b'SASL' in out.stderr
def test_joins_in_real_mode(dev, psql):
from sh import ldap2pg
ldap2pg('-N', c='tests/func/ldap2pg.joins.yml')
roles = list(psql.roles())
writers = list(psql.members('writers'))
assert '*****@*****.**' in roles
assert '*****@*****.**' not in roles
assert '*****@*****.**' in psql.superusers()
assert '*****@*****.**' in writers
assert '*****@*****.**' not in writers
assert '*****@*****.**' in writers
assert '*****@*****.**' in psql.members('ldap_roles')
def test_re_grant(dev, psql):
from sh import ldap2pg
# Ensure db is sync
ldap2pg('-C', c='ldap2pg.yml')
# Revoke on one table. This must trigger a re-GRANT
psql(d=b'appdb', c=b'REVOKE SELECT ON appns.table2 FROM readers;')
# Ensure database is not sync.
ldap2pg('-C', c='ldap2pg.yml', _ok_code=1)
# Synchronize all
ldap2pg('-N', c='ldap2pg.yml')
ldap2pg('-C', c='ldap2pg.yml')
def test_re_revoke(dev, ldap, psql):
from sh import ldap2pg
# Ensure db is sync
ldap2pg('-C', c='tests/func/ldap2pg.acl.yml')
# Partial GRANT to oscar. This must trigger a re-REVOKE
psql(d=b'frontend', c=b'GRANT SELECT ON frontend.table1 TO oscar;')
# Ensure database is not sync.
ldap2pg('-C', c='tests/func/ldap2pg.acl.yml', _ok_code=1)
# Synchronize all
ldap2pg('-N', c='tests/func/ldap2pg.acl.yml')
ldap2pg('-C', c='tests/func/ldap2pg.acl.yml')
def test_re_grant(dev, ldap, psql):
from sh import ldap2pg
# Ensure db is sync
ldap2pg('-C', c='tests/func/ldap2pg.acl.yml')
# Revoke on one table. This should trigger a re-GRANT
psql(d=b'frontend', c=b'REVOKE SELECT ON frontend.table2 FROM daniel;')
# Ensure database is not sync.
ldap2pg('-C', c='tests/func/ldap2pg.acl.yml', _ok_code=1)
# Synchronize all
ldap2pg('-N', c='tests/func/ldap2pg.acl.yml')
ldap2pg('-C', c='tests/func/ldap2pg.acl.yml')
def test_re_revoke(dev, psql):
from sh import ldap2pg
c = 'ldap2pg.yml'
# Ensure db is sync
ldap2pg('-C', c=c)
# Partial GRANT to oscar. This must trigger a re-REVOKE
psql(d=b'appdb', c=b'GRANT INSERT ON appns.table1 TO readers;')
# Ensure database is not sync.
ldap2pg('-C', c=c, _ok_code=1)
# Synchronize all
ldap2pg('-N', c=c)
ldap2pg('-C', c=c)
def test_custom_query(psql):
from sh import ldap2pg
# Ensure we have a role not matching `d%`
roles = list(psql.roles())
assert 'alan' in roles
yaml = open('tests/func/ldap2pg.custom_inspect.yml')
out = ldap2pg('-v', '--config=-', _in=yaml)
# However, alan is not dopped.
assert b'Nothing to do' in out.stderr
def test_run(psql):
# type: (PSQL) -> None
from sh import ldap2pg
c = 'tests/func/ldap2pg.full.yml'
# Ensure database is not sync.
ldap2pg('-C', c=c, _ok_code=1)
# Synchronize all
ldap2pg('-N', c=c)
ldap2pg('-C', c=c)
roles = list(psql.roles())
assert 'Alan' in roles
assert 'oscar' not in roles
assert 'ALICE' in psql.superusers()
writers = list(psql.members('writers'))
assert 'daniel' in writers
assert 'david' in writers
assert 'didier' in writers
assert 'ALICE' in psql.members('ldap_roles')
comment = psql.scalar("""\
SELECT description
FROM pg_shdescription
WHERE description = 'mail: [email protected]';
""")
assert comment
def test_custom_privilege(dev, psql):
from sh import ldap2pg
c = 'tests/func/ldap2pg.custom_privilege.yml'
# Ensure database is not sync.
ldap2pg('-C', c=c, _ok_code=1)
# Synchronize all
ldap2pg('-N', c=c)
ldap2pg('-C', c=c)
def test_real_mode(dev, ldap, psql):
from sh import ErrorReturnCode, ldap2pg
assert 'keepme' in psql.tables(dbname='legacy')
# Assert daniel can connect to backend, not to frontend
psql(U='daniel', d='backend', c='SELECT CURRENT_USER')
with pytest.raises(ErrorReturnCode):
psql(U='daniel', d='frontend', c='SELECT CURRENT_USER')
ldap2pg('-vN', c='tests/func/ldap2pg.yml')
roles = list(psql.roles())
frontend = list(psql.members('frontend'))
assert 'alan' in roles
assert 'oscar' not in roles
assert 'alice' in psql.superusers()
assert 'dave' in psql.members('backend')
assert 'david' in frontend
assert 'alice' in psql.members('ldap_users')
# Assert that table keepme owned by deleted user spurious is not dropped!
assert 'keepme' in psql.tables(dbname='legacy')
# Assert CONNECT to backend has been revoked from daniel.
with pytest.raises(ErrorReturnCode):
psql(U='daniel', d='backend', c='SELECT CURRENT_USER')
# Assert daniel can now connect to frontend
psql(U='daniel', d='frontend', c='SELECT CURRENT_USER')
# Assert carole can't connect even if she is in groups. This check
# role_match pattern.
assert 'carole' in frontend
with pytest.raises(ErrorReturnCode):
psql(U='carole', d='frontend', c='SELECT CURRENT_USER')
def test_real_mode(dev, ldap):
from sh import ldap2pg
# Ensure database is not synchronized
ldap2pg('-C', c='tests/func/ldap2pg.acl.yml', _ok_code=1)
# Synchronize all
ldap2pg('-N', c='tests/func/ldap2pg.acl.yml')
# Ensure ACL inspects are ok
ldap2pg('-C', c='tests/func/ldap2pg.acl.yml')
def test_custom_yaml():
from sh import ErrorReturnCode, chmod, ldap2pg, rm
LDAP2PG_CONFIG = 'my-test-ldap2pg.yml'
rm('-f', LDAP2PG_CONFIG)
with pytest.raises(ErrorReturnCode):
ldap2pg(_env=dict(os.environ, LDAP2PG_CONFIG=LDAP2PG_CONFIG))
yaml = YAML_FMT % os.environ
with open(LDAP2PG_CONFIG, 'w') as fo:
fo.write(yaml)
# Purge env from value set in file. Other are reads from ldaprc.
# Ensure world readable password is denied
with pytest.raises(ErrorReturnCode):
ldap2pg(config=LDAP2PG_CONFIG, _env=ldapfree_env())
# And that fixing file mode do the trick.
chmod('0600', LDAP2PG_CONFIG)
ldap2pg('--config', LDAP2PG_CONFIG, _env=ldapfree_env())
def test_only_privileges(psql):
# type: (PSQL) -> None
from sh import ldap2pg
c = 'tests/func/ldap2pg.only_privileges.yml'
# Ensure database is not sync.
ldap2pg('-C', c=c, _ok_code=1)
# Synchronize all
ldap2pg('-N', c=c)
ldap2pg('-C', c=c)
roles = list(psql.roles())
# Ensure o* role is not dropped.
assert 'oscar' in roles
assert 'f' == psql.scalar(
"SELECT has_language_privilege('public', 'plpgsql', 'USAGE');"
)
def test_nothing_to_do(dev):
from sh import ldap2pg
out = ldap2pg('--real', config='ldap2pg.yml')
assert b'Nothing to do' in out.stderr
def test_dry_run(dev, ldap, psql):
from sh import ldap2pg
ldap2pg(c='tests/func/ldap2pg.acl.yml')
def test_help():
from sh import ldap2pg
ldap2pg('-?')
ldap2pg('--help')
def test_various_arguments():
from sh import ldap2pg
ldap2pg('-vn', '--color', '--config', 'ldap2pg.yml')
def test_stdin():
from sh import ldap2pg
out = ldap2pg('--config=-', _in="- role: stdinuser")
assert b'stdinuser' in out.stderr
def test_check_mode(dev, psql):
from sh import ldap2pg
ldap2pg('--check', config='ldap2pg.yml', _ok_code=1)
def test_check_mode(dev, ldap, psql):
from sh import ldap2pg
ldap2pg('--check', '--config', 'tests/func/ldap2pg.yml', _ok_code=1)
def test_nothing_to_do():
from sh import ldap2pg
out = ldap2pg('--real', '--config', 'tests/func/ldap2pg.yml')
assert b'Nothing to do' in out.stderr