def test_sync_assignments_user_doesnt_exist_in_db(self):
# Make sure that the assignments for the users which don't exist in the db are still saved
syncer = RBACDefinitionsDBSyncer()
self._insert_mock_roles()
username = '******'
# Initial state, no roles
user_db = UserDB(name=username)
self.assertEqual(len(User.query(name=username)), 0)
role_dbs = rbac_service.get_roles_for_user(user_db=user_db)
self.assertItemsEqual(role_dbs, [])
# Do the sync with two roles defined
api = UserRoleAssignmentFileFormatAPI(
username=user_db.name,
roles=['role_1', 'role_2'],
file_path='assignments/foobar.yaml')
syncer.sync_users_role_assignments(role_assignment_apis=[api])
role_dbs = rbac_service.get_roles_for_user(user_db=user_db)
self.assertEqual(len(role_dbs), 2)
self.assertEqual(role_dbs[0], self.roles['role_1'])
self.assertEqual(role_dbs[1], self.roles['role_2'])
def test_sync_user_assignments_multiple_custom_roles_assignments(self):
syncer = RBACDefinitionsDBSyncer()
self._insert_mock_roles()
# Initial state, no roles
role_dbs = rbac_service.get_roles_for_user(
user_db=self.users['user_2'])
self.assertItemsEqual(role_dbs, [])
# Do the sync with two roles defined
api = UserRoleAssignmentFileFormatAPI(
username='******',
roles=['role_1', 'role_2'],
file_path='assignments/user2.yaml')
syncer.sync_users_role_assignments(role_assignment_apis=[api])
role_dbs = rbac_service.get_roles_for_user(
user_db=self.users['user_2'])
self.assertEqual(len(role_dbs), 2)
self.assertEqual(role_dbs[0], self.roles['role_1'])
self.assertEqual(role_dbs[1], self.roles['role_2'])
role_assignment_dbs = rbac_service.get_role_assignments_for_user(
user_db=self.users['user_2'])
self.assertEqual(len(role_assignment_dbs), 2)
self.assertEqual(role_assignment_dbs[0].source,
'assignments/user2.yaml')
self.assertEqual(role_assignment_dbs[1].source,
'assignments/user2.yaml')
def test_sync_roles_locally_removed_roles_are_removed_from_db(self):
syncer = RBACDefinitionsDBSyncer()
# Initial state, DB is empty, we sync with two roles defined on disk
self.assertEqual(len(Role.get_all()), 0)
api1 = RoleDefinitionFileFormatAPI(name='test_role_1',
description='test description 1',
permission_grants=[])
api2 = RoleDefinitionFileFormatAPI(name='test_role_2',
description='test description 2',
permission_grants=[])
created_role_dbs, deleted_role_dbs = syncer.sync_roles(
role_definition_apis=[api1, api2])
self.assertEqual(len(created_role_dbs), 2)
self.assertItemsEqual(deleted_role_dbs, [])
# Assert role and grants have been created in the DB
self.assertEqual(len(Role.get_all()), 2)
self.assertRoleDBObjectExists(role_db=created_role_dbs[0])
self.assertRoleDBObjectExists(role_db=created_role_dbs[1])
# We sync again, this time with one role (role 1) removed locally
created_role_dbs, deleted_role_dbs = syncer.sync_roles(
role_definition_apis=[api2])
self.assertEqual(len(created_role_dbs), 1)
self.assertEqual(len(deleted_role_dbs), 2)
# Assert role and grants have been created in the DB
self.assertEqual(len(Role.get_all()), 1)
self.assertRoleDBObjectExists(role_db=created_role_dbs[0])
self.assertEqual(Role.get_all()[0].name, 'test_role_2')
def test_sync_roles_no_definitions(self):
syncer = RBACDefinitionsDBSyncer()
# No definitions
created_role_dbs, deleted_role_dbs = syncer.sync_roles(
role_definition_apis=[])
self.assertItemsEqual(created_role_dbs, [])
self.assertItemsEqual(deleted_role_dbs, [])
def apply_definitions():
loader = RBACDefinitionsLoader()
result = loader.load()
role_definition_apis = list(result['roles'].values())
role_assignment_apis = list(result['role_assignments'].values())
group_to_role_map_apis = list(result['group_to_role_maps'].values())
syncer = RBACDefinitionsDBSyncer()
result = syncer.sync(role_definition_apis=role_definition_apis,
role_assignment_apis=role_assignment_apis,
group_to_role_map_apis=group_to_role_map_apis)
return result
def test_sync_roles_single_role_definition_no_grants(self):
syncer = RBACDefinitionsDBSyncer()
# One role with no grants
api = RoleDefinitionFileFormatAPI(name='test_role_1',
description='test description 1',
permission_grants=[])
created_role_dbs, deleted_role_dbs = syncer.sync_roles(
role_definition_apis=[api])
self.assertEqual(len(created_role_dbs), 1)
self.assertItemsEqual(deleted_role_dbs, [])
self.assertEqual(created_role_dbs[0].name, 'test_role_1')
self.assertEqual(created_role_dbs[0].description, 'test description 1')
self.assertItemsEqual(created_role_dbs[0].permission_grants, [])
# Assert role has been created in the DB
self.assertRoleDBObjectExists(role_db=created_role_dbs[0])
def test_sync_roles_single_role_definition_three_grants(self):
syncer = RBACDefinitionsDBSyncer()
# One role with two grants
permission_grants = [{
'resource_uid': 'pack:mapack1',
'permission_types': ['pack_all']
}, {
'resource_uid': 'pack:mapack2',
'permission_types': ['rule_view', 'action_view']
}, {
'permission_types': ['sensor_list', 'action_list']
}]
api = RoleDefinitionFileFormatAPI(name='test_role_2',
description='test description 2',
permission_grants=permission_grants)
created_role_dbs, deleted_role_dbs = syncer.sync_roles(
role_definition_apis=[api])
self.assertEqual(len(created_role_dbs), 1)
self.assertItemsEqual(deleted_role_dbs, [])
self.assertEqual(created_role_dbs[0].name, 'test_role_2')
self.assertEqual(created_role_dbs[0].description, 'test description 2')
self.assertEqual(len(created_role_dbs[0].permission_grants), 3)
# Assert role and grants have been created in the DB
self.assertRoleDBObjectExists(role_db=created_role_dbs[0])
for permission_grant_id in created_role_dbs[0].permission_grants:
self.assertGrantDBObjectExists(permission_grant_id)
grant_db = PermissionGrant.get_by_id(
str(created_role_dbs[0].permission_grants[0]))
self.assertEqual(grant_db.resource_uid,
permission_grants[0]['resource_uid'])
self.assertEqual(grant_db.resource_type, 'pack')
self.assertEqual(grant_db.permission_types,
permission_grants[0]['permission_types'])
grant_db = PermissionGrant.get_by_id(
str(created_role_dbs[0].permission_grants[2]))
self.assertEqual(grant_db.resource_uid, None)
self.assertEqual(grant_db.resource_type, None)
self.assertEqual(grant_db.permission_types,
permission_grants[2]['permission_types'])
def test_sync_user_assignments_assignments_without_is_remote_are_deleted(
self):
# Test case which verifies roles without "is_remote" field (pre v2.3) are removed from the
# database
syncer = RBACDefinitionsDBSyncer()
self._insert_mock_roles()
# Initial state, 4 roles
role_assignment_dbs = rbac_service.get_role_assignments_for_user(
user_db=self.users['user_5'])
self.assertEqual(len(role_assignment_dbs), 4)
# All 3 non remote roles should have been deleted
syncer.sync_users_role_assignments(role_assignment_apis=[])
role_assignment_dbs = rbac_service.get_role_assignments_for_user(
user_db=self.users['user_5'])
self.assertEqual(len(role_assignment_dbs), 1)
self.assertEqual(role_assignment_dbs[0].role, 'role_4')
self.assertEqual(role_assignment_dbs[0].is_remote, True)
def test_sync_role_assignments_no_assignment_file_on_disk(self):
syncer = RBACDefinitionsDBSyncer()
self._insert_mock_roles()
# Initial state, no roles
user_db = self.users['user_3']
role_dbs = rbac_service.get_roles_for_user(user_db=user_db)
self.assertItemsEqual(role_dbs, [])
# Do the sync with two roles defined
api = UserRoleAssignmentFileFormatAPI(username=user_db.name,
roles=['role_1', 'role_2'],
file_path='assignments/%s.yaml' %
user_db.name)
syncer.sync_users_role_assignments(role_assignment_apis=[api])
role_dbs = rbac_service.get_roles_for_user(user_db=user_db)
self.assertEqual(len(role_dbs), 2)
self.assertEqual(role_dbs[0], self.roles['role_1'])
self.assertEqual(role_dbs[1], self.roles['role_2'])
# Do the sync with no roles - existing assignments should be removed from the databse
syncer.sync_users_role_assignments(role_assignment_apis=[])
role_dbs = rbac_service.get_roles_for_user(user_db=user_db)
self.assertEqual(len(role_dbs), 0)
def test_sync_user_assignments_multiple_sources_same_role_assignment(self):
syncer = RBACDefinitionsDBSyncer()
self._insert_mock_roles()
# Initial state, no roles
role_dbs = rbac_service.get_roles_for_user(
user_db=self.users['user_2'])
self.assertItemsEqual(role_dbs, [])
# Do the sync with role defined in separate files
assignment1 = UserRoleAssignmentFileFormatAPI(
username='******',
roles=['role_1'],
file_path='assignments/user2a.yaml')
assignment2 = UserRoleAssignmentFileFormatAPI(
username='******',
roles=['role_1'],
file_path='assignments/user2b.yaml')
syncer.sync_users_role_assignments(
role_assignment_apis=[assignment1, assignment2])
role_dbs = rbac_service.get_roles_for_user(
user_db=self.users['user_2'])
self.assertEqual(len(role_dbs), 1)
self.assertEqual(role_dbs[0], self.roles['role_1'])
role_assignment_dbs = rbac_service.get_role_assignments_for_user(
user_db=self.users['user_2'])
self.assertEqual(len(role_assignment_dbs), 2)
sources = [r.source for r in role_assignment_dbs]
self.assertIn('assignments/user2a.yaml', sources)
self.assertIn('assignments/user2b.yaml', sources)
# Do another sync with one assignment file removed - only one assignment should be left
syncer.sync_users_role_assignments(role_assignment_apis=[assignment2])
role_dbs = rbac_service.get_roles_for_user(
user_db=self.users['user_2'])
self.assertEqual(len(role_dbs), 1)
self.assertEqual(role_dbs[0], self.roles['role_1'])
role_assignment_dbs = rbac_service.get_role_assignments_for_user(
user_db=self.users['user_2'])
self.assertEqual(len(role_assignment_dbs), 1)
sources = [r.source for r in role_assignment_dbs]
self.assertIn('assignments/user2b.yaml', sources)
def test_sync_remote_assignments_are_not_manipulated(self):
# Verify remote assignments are not manipulated.
syncer = RBACDefinitionsDBSyncer()
self._insert_mock_roles()
# Initial state, no roles
user_db = UserDB(name='doesntexistwhaha')
role_dbs = rbac_service.get_roles_for_user(user_db=user_db)
self.assertItemsEqual(role_dbs, [])
# Create mock remote role assignment
role_db = self.roles['role_3']
source = 'assignments/%s.yaml' % user_db.name
role_assignment_db = rbac_service.assign_role_to_user(role_db=role_db,
user_db=user_db,
source=source,
is_remote=True)
self.assertTrue(role_assignment_db.is_remote)
# Verify assignment has been created
role_dbs = rbac_service.get_roles_for_user(user_db=user_db)
self.assertItemsEqual(role_dbs, [self.roles['role_3']])
# Do the sync with two roles defined - verify remote role assignment hasn't been
# manipulated with.
api = UserRoleAssignmentFileFormatAPI(username=user_db.name,
roles=['role_1', 'role_2'],
file_path='assignments/%s.yaml' %
user_db.name)
syncer.sync_users_role_assignments(role_assignment_apis=[api])
role_dbs = rbac_service.get_roles_for_user(user_db=user_db)
self.assertEqual(len(role_dbs), 3)
self.assertEqual(role_dbs[0], self.roles['role_1'])
self.assertEqual(role_dbs[1], self.roles['role_2'])
self.assertEqual(role_dbs[2], self.roles['role_3'])
# Do sync with no roles - verify all roles except remote one are removed.
api = UserRoleAssignmentFileFormatAPI(username=user_db.name,
roles=[],
file_path='assignments/%s.yaml' %
user_db.name)
syncer.sync_users_role_assignments(role_assignment_apis=[api])
role_dbs = rbac_service.get_roles_for_user(user_db=user_db)
self.assertEqual(len(role_dbs), 1)
self.assertEqual(role_dbs[0], self.roles['role_3'])
def test_sync_user_assignments_role_doesnt_exist_in_db(self):
syncer = RBACDefinitionsDBSyncer()
self._insert_mock_roles()
# Initial state, no roles
role_dbs = rbac_service.get_roles_for_user(
user_db=self.users['user_2'])
self.assertItemsEqual(role_dbs, [])
# Do the sync with role defined in separate files
assignment1 = UserRoleAssignmentFileFormatAPI(
username='******',
roles=['doesnt_exist'],
file_path='assignments/user2.yaml')
expected_msg = ('Role "doesnt_exist" referenced in assignment file '
'"assignments/user2.yaml" doesn\'t exist')
self.assertRaisesRegexp(ValueError,
expected_msg,
syncer.sync_users_role_assignments,
role_assignment_apis=[assignment1])
def test_sync_user_assignments_locally_removed_assignments_are_removed_from_db(
self):
syncer = RBACDefinitionsDBSyncer()
self._insert_mock_roles()
# Initial state, no roles
role_dbs = rbac_service.get_roles_for_user(
user_db=self.users['user_2'])
self.assertItemsEqual(role_dbs, [])
# Do the sync with two roles defined
api = UserRoleAssignmentFileFormatAPI(
username='******',
roles=['role_1', 'role_2'],
file_path='assignments/user2.yaml')
syncer.sync_users_role_assignments(role_assignment_apis=[api])
role_dbs = rbac_service.get_roles_for_user(
user_db=self.users['user_2'])
self.assertEqual(len(role_dbs), 2)
self.assertEqual(role_dbs[0], self.roles['role_1'])
self.assertEqual(role_dbs[1], self.roles['role_2'])
# Do the sync with one role defined (one should be removed from the db)
api = UserRoleAssignmentFileFormatAPI(
username='******',
roles=['role_2'],
file_path='assignments/user2.yaml')
syncer.sync_users_role_assignments(role_assignment_apis=[api])
role_dbs = rbac_service.get_roles_for_user(
user_db=self.users['user_2'])
self.assertEqual(len(role_dbs), 1)
self.assertEqual(role_dbs[0], self.roles['role_2'])
def test_sync_assignments_are_removed_user_doesnt_exist_in_db(self):
# Make sure that the assignments for the users which don't exist in the db are correctly
# removed
syncer = RBACDefinitionsDBSyncer()
self._insert_mock_roles()
username = '******'
# Initial state, no roles
user_db = UserDB(name=username)
self.assertEqual(len(User.query(name=username)), 0)
role_dbs = rbac_service.get_roles_for_user(user_db=user_db)
self.assertItemsEqual(role_dbs, [])
# Do the sync with two roles defined
api = UserRoleAssignmentFileFormatAPI(username=user_db.name,
roles=['role_1', 'role_2'],
file_path='assignments/%s.yaml' %
user_db.name)
syncer.sync_users_role_assignments(role_assignment_apis=[api])
role_dbs = rbac_service.get_roles_for_user(user_db=user_db)
self.assertEqual(len(role_dbs), 2)
self.assertEqual(role_dbs[0], self.roles['role_1'])
self.assertEqual(role_dbs[1], self.roles['role_2'])
# Sync with no roles on disk - existing roles should be removed
syncer.sync_users_role_assignments(role_assignment_apis=[])
role_dbs = rbac_service.get_roles_for_user(user_db=user_db)
self.assertEqual(len(role_dbs), 0)
username = '******'
# Initial state, no roles
user_db = UserDB(name=username)
self.assertEqual(len(User.query(name=username)), 0)
role_dbs = rbac_service.get_roles_for_user(user_db=user_db)
self.assertItemsEqual(role_dbs, [])
# Do the sync with three roles defined
api = UserRoleAssignmentFileFormatAPI(
username=user_db.name,
roles=['role_1', 'role_2', 'role_3'],
file_path='assignments/%s.yaml' % user_db.name)
syncer.sync_users_role_assignments(role_assignment_apis=[api])
role_dbs = rbac_service.get_roles_for_user(user_db=user_db)
self.assertEqual(len(role_dbs), 3)
self.assertEqual(role_dbs[0], self.roles['role_1'])
self.assertEqual(role_dbs[1], self.roles['role_2'])
self.assertEqual(role_dbs[2], self.roles['role_3'])
role_assignment_dbs = rbac_service.get_role_assignments_for_user(
user_db=user_db)
self.assertEqual(len(role_assignment_dbs), 3)
self.assertEqual(role_assignment_dbs[0].source,
'assignments/%s.yaml' % user_db.name)
# Sync with one role on disk - two roles should be removed
api = UserRoleAssignmentFileFormatAPI(username=user_db.name,
roles=['role_3'],
file_path='assignments/%s.yaml' %
user_db.name)
syncer.sync_users_role_assignments(role_assignment_apis=[api])
role_dbs = rbac_service.get_roles_for_user(user_db=user_db)
self.assertEqual(len(role_dbs), 1)
self.assertEqual(role_dbs[0], self.roles['role_3'])