def test_permission_disable(setup):
# type: (SetupTest) -> None
with setup.transaction():
setup.grant_permission_to_group(PERMISSION_ADMIN, "", "admins")
setup.add_user_to_group("*****@*****.**", "admins")
setup.create_permission("some-permission")
run_ctl(setup, "permission", "-a", "*****@*****.**", "disable",
"some-permission")
permission = get_permission(setup.session, "some-permission")
assert permission
assert not permission.enabled
def test_disable_with_existing_grants(setup, caplog):
# type: (SetupTest, LogCaptureFixture) -> None
with setup.transaction():
setup.grant_permission_to_group(PERMISSION_ADMIN, "", "admins")
setup.add_user_to_group("*****@*****.**", "admins")
setup.grant_permission_to_group("some-permission", "", "some-group")
with pytest.raises(SystemExit):
run_ctl(setup, "permission", "-a", "*****@*****.**", "disable",
"some-permission")
assert "permission some-permission still granted to groups some-group" in caplog.text
def test_create(setup):
# type: (SetupTest) -> None
with setup.transaction():
setup.add_user_to_group("*****@*****.**", "some-group")
setup.add_user_to_group("*****@*****.**", "other-group")
run_ctl(
setup,
"service_account",
"--actor",
"*****@*****.**",
"create",
"*****@*****.**",
"some-group",
"foo +bar -(org)",
"this is a service account.\n\n it is for testing",
)
service_account = ServiceAccount.get(setup.session,
name="*****@*****.**")
assert service_account is not None
assert service_account.user.name == "*****@*****.**"
assert service_account.machine_set == "foo +bar -(org)"
assert service_account.description == "this is a service account.\n\n it is for testing"
group = Group.get(setup.session, name="some-group")
assert group
assert get_service_accounts(setup.session, group) == [service_account]
# If the account already exists, creating it again returns an error and does nothing.
with pytest.raises(SystemExit):
run_ctl(
setup,
"service_account",
"--actor",
"*****@*****.**",
"create",
"*****@*****.**",
"other-group",
"foo",
"another test",
)
service_account = ServiceAccount.get(setup.session,
name="*****@*****.**")
assert service_account is not None
assert service_account.machine_set == "foo +bar -(org)"
assert service_account.description == "this is a service account.\n\n it is for testing"
group = Group.get(setup.session, name="some-group")
assert group
assert get_service_accounts(setup.session, group) == [service_account]
def test_disable_with_duplicate_grants(setup, caplog):
# type: (SetupTest, LogCaptureFixture) -> None
with setup.transaction():
setup.grant_permission_to_group(PERMISSION_ADMIN, "", "admins")
setup.add_user_to_group("*****@*****.**", "admins")
setup.grant_permission_to_group("some-permission", "", "some-group")
setup.grant_permission_to_group("some-permission", "foo",
"another-group")
setup.grant_permission_to_group("some-permission", "bar",
"another-group")
setup.grant_permission_to_group("some-permission", "baz",
"another-group")
with pytest.raises(SystemExit):
run_ctl(setup, "permission", "-a", "*****@*****.**", "disable",
"some-permission")
expected = "permission some-permission still granted to groups another-group, some-group"
assert expected in caplog.text
def test_create_invalid_actor(setup):
# type: (SetupTest) -> None
with setup.transaction():
setup.create_group("some-group")
with pytest.raises(SystemExit):
run_ctl(
setup,
"service_account",
"--actor",
"*****@*****.**",
"create",
"*****@*****.**",
"some-group",
"foo",
"another test",
)
assert ServiceAccount.get(setup.session, name="*****@*****.**") is None
group = Group.get(setup.session, name="some-group")
assert get_service_accounts(setup.session, group) == []