def delete(): g = model.group_key('A group').get() g.record_deletion( modified_by=ident('*****@*****.**'), modified_ts=utils.utcnow(), comment='Deleted') g.key.delete()
def test_get_group(self): g = model.AuthGroup( key=model.group_key('group'), members=[ model.Identity.from_bytes('user:[email protected]'), model.Identity.from_bytes('user:[email protected]'), ], globs=[model.IdentityGlob.from_bytes('user:*')], nested=['blah'], created_by=model.Identity.from_bytes('user:[email protected]'), created_ts=datetime.datetime(2014, 1, 2, 3, 4, 5), modified_by=model.Identity.from_bytes('user:[email protected]'), modified_ts=datetime.datetime(2015, 1, 2, 3, 4, 5)) db = api.AuthDB(groups=[g]) # Unknown group. self.assertIsNone(db.get_group('blah')) # Known group. from_cache = db.get_group('group') self.assertEqual(from_cache.key, g.key) # Members list is sorted. self.assertEqual(from_cache.members, [ model.Identity.from_bytes('user:[email protected]'), model.Identity.from_bytes('user:[email protected]'), ]) # Fields that are know to be different. exclude = ['members', 'auth_db_rev', 'auth_db_prev_rev'] self.assertEqual( from_cache.to_dict(exclude=exclude), g.to_dict(exclude=exclude))
def make_group(name, comment, **kwargs): group = model.AuthGroup(key=model.group_key(name), **kwargs) group.record_revision( modified_by=ident('*****@*****.**'), modified_ts=utils.utcnow(), comment=comment) group.put()
def make_group(group_id, nested=(), owners=model.ADMIN_GROUP, store=True): """Makes a new AuthGroup to use in test, puts it in datastore.""" entity = model.AuthGroup( key=model.group_key(group_id), nested=nested, owners=owners) if store: entity.put() return entity
def test_group_bootstrap_non_empty(self): ident1 = model.Identity(model.IDENTITY_USER, '*****@*****.**') ident2 = model.Identity(model.IDENTITY_USER, '*****@*****.**') mocked_now = datetime.datetime(2014, 01, 01) self.mock_now(mocked_now) added = model.bootstrap_group( 'some-group', [ident1, ident2], 'Blah description') self.assertTrue(added) ent = model.group_key('some-group').get() self.assertEqual( { 'auth_db_rev': 1, 'auth_db_prev_rev': None, 'created_by': model.get_service_self_identity(), 'created_ts': mocked_now, 'description': 'Blah description', 'globs': [], 'members': [ident1, ident2], 'modified_by': model.get_service_self_identity(), 'modified_ts': mocked_now, 'nested': [], 'owners': u'administrators', }, ent.to_dict())
def make_auth_db(): model.AuthGlobalConfig(key=model.root_key()).put() model.AuthIPWhitelistAssignments( key=model.ip_whitelist_assignments_key()).put() model.AuthGroup(key=model.group_key('A group')).put() model.AuthIPWhitelist(key=model.ip_whitelist_key('A whitelist')).put() model.replicate_auth_db()
def group(name, members, nested=None): return model.AuthGroup( key=model.group_key(name), created_by=ident('admin'), created_ts=datetime.datetime(1999, 1, 2, 3, 4, 5, 6), modified_by=ident('admin'), modified_ts=datetime.datetime(1999, 1, 2, 3, 4, 5, 6), members=[ident(x) for x in members], nested=nested or [])
def test_prepare_import(self): service_id = auth.Identity.from_bytes('service:some-service') self.mock(auth, 'get_service_self_identity', lambda: service_id) existing_groups = [ group('normal-group', [], ['ldap/cleared']), group('not-ldap/some', []), group('ldap/updated', ['a']), group('ldap/unchanged', ['a']), group('ldap/deleted', ['a']), group('ldap/cleared', ['a']), ] imported_groups = { 'ldap/new': [ident('a')], 'ldap/updated': [ident('a'), ident('b')], 'ldap/unchanged': [ident('a')], } to_put, to_delete = importer.prepare_import( 'ldap', existing_groups, imported_groups, datetime.datetime(2010, 1, 2, 3, 4, 5, 6)) expected_to_put = { 'ldap/cleared': { 'created_by': ident('admin'), 'created_ts': datetime.datetime(1999, 1, 2, 3, 4, 5, 6), 'description': '', 'globs': [], 'members': [], 'modified_by': service_id, 'modified_ts': datetime.datetime(2010, 1, 2, 3, 4, 5, 6), 'nested': [], }, 'ldap/new': { 'created_by': service_id, 'created_ts': datetime.datetime(2010, 1, 2, 3, 4, 5, 6), 'description': '', 'globs': [], 'members': [ident('a')], 'modified_by': service_id, 'modified_ts': datetime.datetime(2010, 1, 2, 3, 4, 5, 6), 'nested': [], }, 'ldap/updated': { 'created_by': ident('admin'), 'created_ts': datetime.datetime(1999, 1, 2, 3, 4, 5, 6), 'description': '', 'globs': [], 'members': [ident('a'), ident('b')], 'modified_by': service_id, 'modified_ts': datetime.datetime(2010, 1, 2, 3, 4, 5, 6), 'nested': [], }, } self.assertEqual(expected_to_put, {x.key.id(): x.to_dict() for x in to_put}) self.assertEqual([model.group_key('ldap/deleted')], to_delete)
def setUp(self): super(MembershipTest, self).setUp() api.reset_local_state() self.mock(api, 'is_admin', lambda *_: True) model.AuthGroup(key=model.group_key('testgroup'), members=[]).put() def is_group_member_mock(group, identity): group = model.group_key(group).get() return group is not None and identity in group.members self.mock(api, 'is_group_member', is_group_member_mock)
def create_group(group_name): ent = model.AuthGroup( key=model.group_key(group_name), members=imported_groups[group_name], created_ts=timestamp, created_by=auth.get_service_self_identity(), modified_ts=timestamp, modified_by=auth.get_service_self_identity()) to_put.append(ent)
def remove(name, commit=True): e = model.group_key(name).get() if e: e.record_deletion( modified_by=model.Identity.from_bytes('user:[email protected]'), modified_ts=utils.utcnow(), comment='Comment') e.key.delete() if commit: model.replicate_auth_db()
def modify(): g = model.group_key('A group').get() g.members = [ident('*****@*****.**'), ident('*****@*****.**')] g.globs = [glob('*@example.com'), glob('*@blah.com')] g.nested = ['A', 'C'] g.description = 'Another blah' g.owners = 'another-owners' g.record_revision( modified_by=ident('*****@*****.**'), modified_ts=utils.utcnow(), comment='Changed') g.put()
def modify(name, commit=True, **kwargs): k = model.group_key(name) e = k.get() if not e: e = model.AuthGroup( key=k, created_by=ident_a, created_ts=utils.utcnow()) e.record_revision( modified_by=ident_a, modified_ts=utils.utcnow(), comment='Comment') e.populate(**kwargs) e.put() if commit: model.replicate_auth_db()
def test_group_serialization(self): """Serializing snapshot with non-trivial AuthGroup.""" group = model.AuthGroup( key=model.group_key('some-group'), members=[ model.Identity.from_bytes('user:[email protected]'), model.Identity.from_bytes('user:[email protected]'), ], globs=[model.IdentityGlob.from_bytes('user:*@example.com')], nested=['Group A', 'Group B'], description='Blah blah blah', created_ts=utils.utcnow(), created_by=model.Identity.from_bytes('user:[email protected]'), modified_ts=utils.utcnow(), modified_by=model.Identity.from_bytes('user:[email protected]'), ) snapshot = make_snapshot_obj(groups=[group]) self.assert_serialization_works(snapshot)
def test_group_bootstrap_empty(self): mocked_now = datetime.datetime(2014, 01, 01) self.mock_now(mocked_now) added = model.bootstrap_group('some-group', [], 'Blah description') self.assertTrue(added) ent = model.group_key('some-group').get() self.assertEqual( { 'created_by': model.get_service_self_identity(), 'created_ts': mocked_now, 'description': 'Blah description', 'globs': [], 'members': [], 'modified_by': model.get_service_self_identity(), 'modified_ts': mocked_now, 'nested': [] }, ent.to_dict())
def test_fetch_auth_db(self): # Create AuthGlobalConfig. global_config = model.AuthGlobalConfig(key=model.root_key()) global_config.oauth_client_id = "1" global_config.oauth_client_secret = "secret" global_config.oauth_additional_client_ids = ["2", "3"] global_config.put() # Create a bunch of (empty) groups. groups = [model.AuthGroup(key=model.group_key("Group A")), model.AuthGroup(key=model.group_key("Group B"))] for group in groups: group.put() # And a bunch of secrets (local and global). local_secrets = [model.AuthSecret.bootstrap("local%d" % i, "local") for i in (0, 1, 2)] global_secrets = [model.AuthSecret.bootstrap("global%d" % i, "global") for i in (0, 1, 2)] # And IP whitelist. ip_whitelist_assignments = model.AuthIPWhitelistAssignments( key=model.ip_whitelist_assignments_key(), assignments=[ model.AuthIPWhitelistAssignments.Assignment(identity=model.Anonymous, ip_whitelist="some ip whitelist") ], ) ip_whitelist_assignments.put() some_ip_whitelist = model.AuthIPWhitelist( key=model.ip_whitelist_key("some ip whitelist"), subnets=["127.0.0.1/32"] ) bots_ip_whitelist = model.AuthIPWhitelist(key=model.ip_whitelist_key("bots"), subnets=["127.0.0.1/32"]) some_ip_whitelist.put() bots_ip_whitelist.put() # This all stuff should be fetched into AuthDB. auth_db = api.fetch_auth_db() self.assertEqual(global_config, auth_db.global_config) self.assertEqual(set(g.key.id() for g in groups), set(auth_db.groups)) self.assertEqual(set(s.key.id() for s in local_secrets), set(auth_db.secrets["local"])) self.assertEqual(set(s.key.id() for s in global_secrets), set(auth_db.secrets["global"])) self.assertEqual(ip_whitelist_assignments, auth_db.ip_whitelist_assignments) self.assertEqual({"bots": bots_ip_whitelist, "some ip whitelist": some_ip_whitelist}, auth_db.ip_whitelists)
def add_group(self, group, identities): model.AuthGroup(key=model.group_key(group), members=[ model.Identity.from_bytes(identity) for identity in identities]).put()
def is_group_member_mock(group, identity): group = model.group_key(group).get() return group is not None and identity in group.members
def test_groups_log(self): ident_a = model.Identity.from_bytes('user:[email protected]') ident_b = model.Identity.from_bytes('user:[email protected]') glob_a = model.IdentityGlob.from_bytes('user:*@a.com') glob_b = model.IdentityGlob.from_bytes('user:*@b.com') @ndb.transactional def modify(name, commit=True, **kwargs): k = model.group_key(name) e = k.get() if not e: e = model.AuthGroup(key=k, created_by=ident_a, created_ts=utils.utcnow()) e.record_revision(modified_by=ident_a, modified_ts=utils.utcnow(), comment='Comment') e.populate(**kwargs) e.put() if commit: model.replicate_auth_db() @ndb.transactional def remove(name, commit=True): e = model.group_key(name).get() if e: e.record_deletion(modified_by=model.Identity.from_bytes( 'user:[email protected]'), modified_ts=utils.utcnow(), comment='Comment') e.key.delete() if commit: model.replicate_auth_db() modify('A', members=[]) modify('A', members=[ident_a], globs=[glob_a]) modify('B', members=[ident_b], globs=[glob_b]) modify('A', nested=['B']) @ndb.transactional def batch(): modify('B', commit=False, description='Blah') remove('A', commit=True) batch() modify('B', members=[ident_a, ident_b], globs=[glob_a, glob_b]) # Final state. self.assertIsNone(model.group_key('A').get()) self.assertEqual( { 'auth_db_rev': 6, 'auth_db_prev_rev': 5, 'created_by': model.Identity(kind='user', name='*****@*****.**'), 'created_ts': datetime.datetime(2015, 1, 1, 1, 1), 'description': u'Blah', 'globs': [ model.IdentityGlob(kind='user', pattern='*@a.com'), model.IdentityGlob(kind='user', pattern='*@b.com'), ], 'members': [ model.Identity(kind='user', name='*****@*****.**'), model.Identity(kind='user', name='*****@*****.**'), ], 'modified_by': model.Identity(kind='user', name='*****@*****.**'), 'modified_ts': datetime.datetime(2015, 1, 1, 1, 1), 'nested': [], 'owners': u'administrators', }, model.group_key('B').get().to_dict()) # Copies in the history. cpy = lambda name, rev: ndb.Key( 'Rev', rev, 'AuthGroupHistory', name, parent=model.root_key()) self.assertEqual( { cpy('A', 1): { 'auth_db_rev': 1, 'auth_db_prev_rev': None, 'auth_db_app_version': u'v1a', 'auth_db_deleted': False, 'auth_db_change_comment': u'Comment', 'created_by': model.Identity(kind='user', name='*****@*****.**'), 'created_ts': datetime.datetime(2015, 1, 1, 1, 1), 'description': u'', 'globs': [], 'members': [], 'modified_by': model.Identity(kind='user', name='*****@*****.**'), 'modified_ts': datetime.datetime(2015, 1, 1, 1, 1), 'nested': [], 'owners': u'administrators', }, cpy('A', 2): { 'auth_db_rev': 2, 'auth_db_prev_rev': 1, 'auth_db_app_version': u'v1a', 'auth_db_deleted': False, 'auth_db_change_comment': u'Comment', 'created_by': model.Identity(kind='user', name='*****@*****.**'), 'created_ts': datetime.datetime(2015, 1, 1, 1, 1), 'description': u'', 'globs': [glob_a], 'members': [ident_a], 'modified_by': model.Identity(kind='user', name='*****@*****.**'), 'modified_ts': datetime.datetime(2015, 1, 1, 1, 1), 'nested': [], 'owners': u'administrators', }, cpy('B', 3): { 'auth_db_rev': 3, 'auth_db_prev_rev': None, 'auth_db_app_version': u'v1a', 'auth_db_deleted': False, 'auth_db_change_comment': u'Comment', 'created_by': model.Identity(kind='user', name='*****@*****.**'), 'created_ts': datetime.datetime(2015, 1, 1, 1, 1), 'description': u'', 'globs': [glob_b], 'members': [ident_b], 'modified_by': model.Identity(kind='user', name='*****@*****.**'), 'modified_ts': datetime.datetime(2015, 1, 1, 1, 1), 'nested': [], 'owners': u'administrators', }, cpy('A', 4): { 'auth_db_rev': 4, 'auth_db_prev_rev': 2, 'auth_db_app_version': u'v1a', 'auth_db_deleted': False, 'auth_db_change_comment': u'Comment', 'created_by': model.Identity(kind='user', name='*****@*****.**'), 'created_ts': datetime.datetime(2015, 1, 1, 1, 1), 'description': u'', 'globs': [glob_a], 'members': [ident_a], 'modified_by': model.Identity(kind='user', name='*****@*****.**'), 'modified_ts': datetime.datetime(2015, 1, 1, 1, 1), 'nested': [u'B'], 'owners': u'administrators', }, # Batch revision. cpy('A', 5): { 'auth_db_rev': 5, 'auth_db_prev_rev': 4, 'auth_db_app_version': u'v1a', 'auth_db_deleted': True, 'auth_db_change_comment': u'Comment', 'created_by': model.Identity(kind='user', name='*****@*****.**'), 'created_ts': datetime.datetime(2015, 1, 1, 1, 1), 'description': u'', 'globs': [glob_a], 'members': [ident_a], 'modified_by': model.Identity(kind='user', name='*****@*****.**'), 'modified_ts': datetime.datetime(2015, 1, 1, 1, 1), 'nested': [u'B'], 'owners': u'administrators', }, cpy('B', 5): { 'auth_db_rev': 5, 'auth_db_prev_rev': 3, 'auth_db_app_version': u'v1a', 'auth_db_deleted': False, 'auth_db_change_comment': u'Comment', 'created_by': model.Identity(kind='user', name='*****@*****.**'), 'created_ts': datetime.datetime(2015, 1, 1, 1, 1), 'description': u'Blah', 'globs': [glob_b], 'members': [ident_b], 'modified_by': model.Identity(kind='user', name='*****@*****.**'), 'modified_ts': datetime.datetime(2015, 1, 1, 1, 1), 'nested': [], 'owners': u'administrators', }, # /end of batch revision cpy('B', 6): { 'auth_db_rev': 6, 'auth_db_prev_rev': 5, 'auth_db_app_version': u'v1a', 'auth_db_deleted': False, 'auth_db_change_comment': u'Comment', 'created_by': model.Identity(kind='user', name='*****@*****.**'), 'created_ts': datetime.datetime(2015, 1, 1, 1, 1), 'description': u'Blah', 'globs': [glob_a, glob_b], 'members': [ident_a, ident_b], 'modified_by': model.Identity(kind='user', name='*****@*****.**'), 'modified_ts': datetime.datetime(2015, 1, 1, 1, 1), 'nested': [], 'owners': u'administrators', }, }, self.grab_log(model.AuthGroup))
def make_group(group_id, nested=(), store=True): """Makes a new AuthGroup to use in test, puts it in datastore.""" entity = model.AuthGroup(key=model.group_key(group_id), nested=nested) if store: entity.put() return entity
def test_non_empty(self): self.mock_now(datetime.datetime(2014, 1, 1, 1, 1, 1)) state = model.AuthReplicationState( key=model.replication_state_key(), primary_id='blah', primary_url='https://blah', auth_db_rev=123) state.put() global_config = model.AuthGlobalConfig( key=model.root_key(), modified_ts=utils.utcnow(), modified_by=model.Identity.from_bytes('user:[email protected]'), oauth_client_id='oauth_client_id', oauth_client_secret='oauth_client_secret', oauth_additional_client_ids=['a', 'b']) global_config.put() group = model.AuthGroup( key=model.group_key('Some group'), members=[model.Identity.from_bytes('user:[email protected]')], globs=[model.IdentityGlob.from_bytes('user:*@example.com')], nested=[], description='Some description', created_ts=utils.utcnow(), created_by=model.Identity.from_bytes('user:[email protected]'), modified_ts=utils.utcnow(), modified_by=model.Identity.from_bytes('user:[email protected]')) group.put() another = model.AuthGroup( key=model.group_key('Another group'), nested=['Some group']) another.put() global_secret = model.AuthSecret( id='global_secret', parent=model.secret_scope_key('global'), values=['1234', '5678'], modified_ts=utils.utcnow(), modified_by=model.Identity.from_bytes('user:[email protected]')) global_secret.put() # Local secret should not appear in a snapshot. local_secret = model.AuthSecret( id='local_secret', parent=model.secret_scope_key('local'), values=['1234', '5678'], modified_ts=utils.utcnow(), modified_by=model.Identity.from_bytes('user:[email protected]')) local_secret.put() ip_whitelist = model.AuthIPWhitelist( key=model.ip_whitelist_key('bots'), subnets=['127.0.0.1/32'], description='Some description', created_ts=utils.utcnow(), created_by=model.Identity.from_bytes('user:[email protected]'), modified_ts=utils.utcnow(), modified_by=model.Identity.from_bytes('user:[email protected]')) ip_whitelist.put() ip_whitelist_assignments = model.AuthIPWhitelistAssignments( key=model.ip_whitelist_assignments_key(), modified_ts=utils.utcnow(), modified_by=model.Identity.from_bytes('user:[email protected]'), assignments=[ model.AuthIPWhitelistAssignments.Assignment( identity=model.Identity.from_bytes('user:[email protected]'), ip_whitelist='bots', comment='some comment', created_ts=utils.utcnow(), created_by=model.Identity.from_bytes('user:[email protected]')), ]) ip_whitelist_assignments.put() captured_state, snapshot = replication.new_auth_db_snapshot() expected_state = { 'auth_db_rev': 123, 'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1), 'primary_id': u'blah', 'primary_url': u'https://blah', } self.assertEqual(expected_state, captured_state.to_dict()) expected_snapshot = { 'global_config': { '__id__': 'root', '__parent__': None, 'auth_db_rev': None, 'auth_db_prev_rev': None, 'modified_by': model.Identity(kind='user', name='*****@*****.**'), 'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1), 'oauth_additional_client_ids': [u'a', u'b'], 'oauth_client_id': u'oauth_client_id', 'oauth_client_secret': u'oauth_client_secret', }, 'groups': [ { '__id__': 'Another group', '__parent__': ndb.Key('AuthGlobalConfig', 'root'), 'auth_db_rev': None, 'auth_db_prev_rev': None, 'created_by': None, 'created_ts': None, 'description': '', 'globs': [], 'members': [], 'modified_by': None, 'modified_ts': None, 'nested': [u'Some group'], }, { '__id__': 'Some group', '__parent__': ndb.Key('AuthGlobalConfig', 'root'), 'auth_db_rev': None, 'auth_db_prev_rev': None, 'created_by': model.Identity(kind='user', name='*****@*****.**'), 'created_ts': datetime.datetime(2014, 1, 1, 1, 1, 1), 'description': u'Some description', 'globs': [model.IdentityGlob(kind='user', pattern='*@example.com')], 'members': [model.Identity(kind='user', name='*****@*****.**')], 'modified_by': model.Identity( kind='user', name='*****@*****.**'), 'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1), 'nested': [], }, ], 'secrets': [ { '__id__': 'global_secret', '__parent__': ndb.Key( 'AuthGlobalConfig', 'root', 'AuthSecretScope', 'global'), 'modified_by': model.Identity( kind='user', name='*****@*****.**'), 'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1), 'values': ['1234', '5678'], }, ], 'ip_whitelists': [ { '__id__': 'bots', '__parent__': ndb.Key('AuthGlobalConfig', 'root'), 'auth_db_rev': None, 'auth_db_prev_rev': None, 'created_by': model.Identity(kind='user', name='*****@*****.**'), 'created_ts': datetime.datetime(2014, 1, 1, 1, 1, 1), 'description': u'Some description', 'modified_by': model.Identity( kind='user', name='*****@*****.**'), 'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1), 'subnets': ['127.0.0.1/32'], }, ], 'ip_whitelist_assignments': { '__id__': 'default', '__parent__': ndb.Key('AuthGlobalConfig', 'root'), 'assignments': [ { 'comment': 'some comment', 'created_by': model.Identity( kind='user', name='*****@*****.**'), 'created_ts': datetime.datetime(2014, 1, 1, 1, 1, 1), 'identity': model.Identity( kind='user', name='*****@*****.**'), 'ip_whitelist': 'bots', }, ], 'auth_db_rev': None, 'auth_db_prev_rev': None, 'modified_by': model.Identity(kind='user', name='*****@*****.**'), 'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1), }, } self.assertEqual(expected_snapshot, snapshot_to_dict(snapshot))
def add_group(self, group, identities): model.AuthGroup(key=model.group_key(group), members=[ model.Identity.from_bytes(identity) for identity in identities ]).put()
def make_group(name, comment, **kwargs): group = model.AuthGroup(key=model.group_key(name), **kwargs) group.record_revision(modified_by=ident('*****@*****.**'), modified_ts=utils.utcnow(), comment=comment) group.put()
def test_fetch_auth_db(self): # Create AuthGlobalConfig. global_config = model.AuthGlobalConfig(key=model.root_key()) global_config.oauth_client_id = '1' global_config.oauth_client_secret = 'secret' global_config.oauth_additional_client_ids = ['2', '3'] global_config.put() # Create a bunch of (empty) groups. groups = [ model.AuthGroup(key=model.group_key('Group A')), model.AuthGroup(key=model.group_key('Group B')), ] for group in groups: group.put() # And a bunch of secrets (local and global). local_secrets = [ model.AuthSecret.bootstrap('local%d' % i, 'local') for i in (0, 1, 2) ] global_secrets = [ model.AuthSecret.bootstrap('global%d' % i, 'global') for i in (0, 1, 2) ] # And IP whitelist. ip_whitelist_assignments = model.AuthIPWhitelistAssignments( key=model.ip_whitelist_assignments_key(), assignments=[ model.AuthIPWhitelistAssignments.Assignment( identity=model.Anonymous, ip_whitelist='some ip whitelist', ), ]) ip_whitelist_assignments.put() some_ip_whitelist = model.AuthIPWhitelist( key=model.ip_whitelist_key('some ip whitelist'), subnets=['127.0.0.1/32']) bots_ip_whitelist = model.AuthIPWhitelist( key=model.ip_whitelist_key('bots'), subnets=['127.0.0.1/32']) some_ip_whitelist.put() bots_ip_whitelist.put() # This all stuff should be fetched into AuthDB. auth_db = api.fetch_auth_db() self.assertEqual(global_config, auth_db.global_config) self.assertEqual( set(g.key.id() for g in groups), set(auth_db.groups)) self.assertEqual( set(s.key.id() for s in local_secrets), set(auth_db.secrets['local'])) self.assertEqual( set(s.key.id() for s in global_secrets), set(auth_db.secrets['global'])) self.assertEqual( ip_whitelist_assignments, auth_db.ip_whitelist_assignments) self.assertEqual( {'bots': bots_ip_whitelist, 'some ip whitelist': some_ip_whitelist}, auth_db.ip_whitelists)
def test_prepare_import(self): existing_groups = [ group('normal-group', [], ['ldap/cleared']), group('not-ldap/some', []), group('ldap/updated', ['a']), group('ldap/unchanged', ['a']), group('ldap/deleted', ['a']), group('ldap/cleared', ['a']), ] imported_groups = { 'ldap/new': [ident('a')], 'ldap/updated': [ident('a'), ident('b')], 'ldap/unchanged': [ident('a')], } to_put, to_delete = importer.prepare_import( 'ldap', existing_groups, imported_groups, datetime.datetime(2010, 1, 2, 3, 4, 5, 6)) expected_to_put = { 'ldap/cleared': { 'auth_db_rev': None, 'auth_db_prev_rev': None, 'created_by': ident('admin'), 'created_ts': datetime.datetime(1999, 1, 2, 3, 4, 5, 6), 'description': '', 'globs': [], 'members': [], 'modified_by': model.get_service_self_identity(), 'modified_ts': datetime.datetime(2010, 1, 2, 3, 4, 5, 6), 'nested': [], 'owners': u'administrators', }, 'ldap/new': { 'auth_db_rev': None, 'auth_db_prev_rev': None, 'created_by': model.get_service_self_identity(), 'created_ts': datetime.datetime(2010, 1, 2, 3, 4, 5, 6), 'description': '', 'globs': [], 'members': [ident('a')], 'modified_by': model.get_service_self_identity(), 'modified_ts': datetime.datetime(2010, 1, 2, 3, 4, 5, 6), 'nested': [], 'owners': u'administrators', }, 'ldap/updated': { 'auth_db_rev': None, 'auth_db_prev_rev': None, 'created_by': ident('admin'), 'created_ts': datetime.datetime(1999, 1, 2, 3, 4, 5, 6), 'description': '', 'globs': [], 'members': [ident('a'), ident('b')], 'modified_by': model.get_service_self_identity(), 'modified_ts': datetime.datetime(2010, 1, 2, 3, 4, 5, 6), 'nested': [], 'owners': u'administrators', }, } self.assertEqual(expected_to_put, {x.key.id(): x.to_dict() for x in to_put}) self.assertEqual( [model.group_key('ldap/deleted')], [x.key for x in to_delete])
def test_non_empty(self): self.mock_now(datetime.datetime(2014, 1, 1, 1, 1, 1)) state = model.AuthReplicationState(key=model.replication_state_key(), primary_id='blah', primary_url='https://blah', auth_db_rev=123) state.put() global_config = model.AuthGlobalConfig( key=model.root_key(), modified_ts=utils.utcnow(), modified_by=model.Identity.from_bytes('user:[email protected]'), oauth_client_id='oauth_client_id', oauth_client_secret='oauth_client_secret', oauth_additional_client_ids=['a', 'b'], token_server_url='https://token-server', security_config='security config blob') global_config.put() group = model.AuthGroup( key=model.group_key('Some group'), members=[model.Identity.from_bytes('user:[email protected]')], globs=[model.IdentityGlob.from_bytes('user:*@example.com')], nested=[], description='Some description', owners='owning-group', created_ts=utils.utcnow(), created_by=model.Identity.from_bytes('user:[email protected]'), modified_ts=utils.utcnow(), modified_by=model.Identity.from_bytes('user:[email protected]')) group.put() another = model.AuthGroup(key=model.group_key('Another group'), nested=['Some group']) another.put() ip_whitelist = model.AuthIPWhitelist( key=model.ip_whitelist_key('bots'), subnets=['127.0.0.1/32'], description='Some description', created_ts=utils.utcnow(), created_by=model.Identity.from_bytes('user:[email protected]'), modified_ts=utils.utcnow(), modified_by=model.Identity.from_bytes('user:[email protected]')) ip_whitelist.put() ip_whitelist_assignments = model.AuthIPWhitelistAssignments( key=model.ip_whitelist_assignments_key(), modified_ts=utils.utcnow(), modified_by=model.Identity.from_bytes('user:[email protected]'), assignments=[ model.AuthIPWhitelistAssignments.Assignment( identity=model.Identity.from_bytes( 'user:[email protected]'), ip_whitelist='bots', comment='some comment', created_ts=utils.utcnow(), created_by=model.Identity.from_bytes( 'user:[email protected]')), ]) ip_whitelist_assignments.put() captured_state, snapshot = replication.new_auth_db_snapshot() expected_state = { 'auth_db_rev': 123, 'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1), 'primary_id': u'blah', 'primary_url': u'https://blah', } self.assertEqual(expected_state, captured_state.to_dict()) expected_snapshot = { 'global_config': { '__id__': 'root', '__parent__': None, 'auth_db_rev': None, 'auth_db_prev_rev': None, 'modified_by': model.Identity(kind='user', name='*****@*****.**'), 'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1), 'oauth_additional_client_ids': [u'a', u'b'], 'oauth_client_id': u'oauth_client_id', 'oauth_client_secret': u'oauth_client_secret', 'security_config': 'security config blob', 'token_server_url': u'https://token-server', }, 'groups': [ { '__id__': 'Another group', '__parent__': ndb.Key('AuthGlobalConfig', 'root'), 'auth_db_rev': None, 'auth_db_prev_rev': None, 'created_by': None, 'created_ts': None, 'description': u'', 'globs': [], 'members': [], 'modified_by': None, 'modified_ts': None, 'nested': [u'Some group'], 'owners': u'administrators', }, { '__id__': 'Some group', '__parent__': ndb.Key('AuthGlobalConfig', 'root'), 'auth_db_rev': None, 'auth_db_prev_rev': None, 'created_by': model.Identity(kind='user', name='*****@*****.**'), 'created_ts': datetime.datetime(2014, 1, 1, 1, 1, 1), 'description': u'Some description', 'globs': [model.IdentityGlob(kind='user', pattern='*@example.com')], 'members': [model.Identity(kind='user', name='*****@*****.**')], 'modified_by': model.Identity(kind='user', name='*****@*****.**'), 'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1), 'nested': [], 'owners': u'owning-group', }, ], 'ip_whitelists': [ { '__id__': 'bots', '__parent__': ndb.Key('AuthGlobalConfig', 'root'), 'auth_db_rev': None, 'auth_db_prev_rev': None, 'created_by': model.Identity(kind='user', name='*****@*****.**'), 'created_ts': datetime.datetime(2014, 1, 1, 1, 1, 1), 'description': u'Some description', 'modified_by': model.Identity(kind='user', name='*****@*****.**'), 'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1), 'subnets': [u'127.0.0.1/32'], }, ], 'ip_whitelist_assignments': { '__id__': 'default', '__parent__': ndb.Key('AuthGlobalConfig', 'root'), 'assignments': [ { 'comment': u'some comment', 'created_by': model.Identity(kind='user', name='*****@*****.**'), 'created_ts': datetime.datetime(2014, 1, 1, 1, 1, 1), 'identity': model.Identity(kind='user', name='*****@*****.**'), 'ip_whitelist': u'bots', }, ], 'auth_db_rev': None, 'auth_db_prev_rev': None, 'modified_by': model.Identity(kind='user', name='*****@*****.**'), 'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1), }, } self.assertEqual(expected_snapshot, snapshot_to_dict(snapshot))
def group(name, **kwargs): return model.AuthGroup( key=model.group_key(name), created_ts=utils.utcnow(), modified_ts=utils.utcnow(), **kwargs)
def test_prepare_import(self): existing_groups = [ group('normal-group', [], ['ldap/cleared']), group('not-ldap/some', []), group('ldap/updated', ['a']), group('ldap/unchanged', ['a']), group('ldap/deleted', ['a']), group('ldap/cleared', ['a']), ] imported_groups = { 'ldap/new': [ident('a')], 'ldap/updated': [ident('a'), ident('b')], 'ldap/unchanged': [ident('a')], } to_put, to_delete = importer.prepare_import( 'ldap', existing_groups, imported_groups, datetime.datetime(2010, 1, 2, 3, 4, 5, 6), model.get_service_self_identity()) expected_to_put = { 'ldap/cleared': { 'auth_db_rev': None, 'auth_db_prev_rev': None, 'created_by': ident('admin'), 'created_ts': datetime.datetime(1999, 1, 2, 3, 4, 5, 6), 'description': '', 'globs': [], 'members': [], 'modified_by': model.get_service_self_identity(), 'modified_ts': datetime.datetime(2010, 1, 2, 3, 4, 5, 6), 'nested': [], 'owners': u'administrators', }, 'ldap/new': { 'auth_db_rev': None, 'auth_db_prev_rev': None, 'created_by': model.get_service_self_identity(), 'created_ts': datetime.datetime(2010, 1, 2, 3, 4, 5, 6), 'description': '', 'globs': [], 'members': [ident('a')], 'modified_by': model.get_service_self_identity(), 'modified_ts': datetime.datetime(2010, 1, 2, 3, 4, 5, 6), 'nested': [], 'owners': u'administrators', }, 'ldap/updated': { 'auth_db_rev': None, 'auth_db_prev_rev': None, 'created_by': ident('admin'), 'created_ts': datetime.datetime(1999, 1, 2, 3, 4, 5, 6), 'description': '', 'globs': [], 'members': [ident('a'), ident('b')], 'modified_by': model.get_service_self_identity(), 'modified_ts': datetime.datetime(2010, 1, 2, 3, 4, 5, 6), 'nested': [], 'owners': u'administrators', }, } self.assertEqual(expected_to_put, {x.key.id(): x.to_dict() for x in to_put}) self.assertEqual([model.group_key('ldap/deleted')], [x.key for x in to_delete])
def test_fetch_auth_db(self): # Client IDs callback. Disable config.ensure_configured() since it overrides # _additional_client_ids_cb after we mock it. self.mock(config, 'ensure_configured', lambda: None) self.mock(api, '_additional_client_ids_cb', lambda: ['', 'cb_client_id']) self.mock(api, 'get_web_client_id', lambda: 'web_client_id') # Create AuthGlobalConfig. global_config = model.AuthGlobalConfig(key=model.root_key()) global_config.oauth_client_id = '1' global_config.oauth_client_secret = 'secret' global_config.oauth_additional_client_ids = ['2', '3'] global_config.put() # Create a bunch of (empty) groups. groups = [ model.AuthGroup(key=model.group_key('Group A')), model.AuthGroup(key=model.group_key('Group B')), ] for group in groups: group.put() # And a bunch of secrets. secrets = [ model.AuthSecret.bootstrap('local%d' % i) for i in (0, 1, 2) ] # And IP whitelist. ip_whitelist_assignments = model.AuthIPWhitelistAssignments( key=model.ip_whitelist_assignments_key(), assignments=[ model.AuthIPWhitelistAssignments.Assignment( identity=model.Anonymous, ip_whitelist='some ip whitelist', ), ]) ip_whitelist_assignments.put() some_ip_whitelist = model.AuthIPWhitelist( key=model.ip_whitelist_key('some ip whitelist'), subnets=['127.0.0.1/32']) bots_ip_whitelist = model.AuthIPWhitelist( key=model.ip_whitelist_key('bots'), subnets=['127.0.0.1/32']) some_ip_whitelist.put() bots_ip_whitelist.put() # This all stuff should be fetched into AuthDB. auth_db = api.fetch_auth_db() self.assertEqual(global_config, auth_db.global_config) self.assertEqual(set(g.key.id() for g in groups), set(auth_db.groups)) self.assertEqual(set(s.key.id() for s in secrets), set(auth_db.secrets)) self.assertEqual(ip_whitelist_assignments, auth_db.ip_whitelist_assignments) self.assertEqual( { 'bots': bots_ip_whitelist, 'some ip whitelist': some_ip_whitelist }, auth_db.ip_whitelists) self.assertTrue(auth_db.is_allowed_oauth_client_id('1')) self.assertTrue(auth_db.is_allowed_oauth_client_id('cb_client_id')) self.assertTrue(auth_db.is_allowed_oauth_client_id('web_client_id')) self.assertFalse(auth_db.is_allowed_oauth_client_id(''))
def group(name, **kwargs): return model.AuthGroup(key=model.group_key(name), created_ts=utils.utcnow(), modified_ts=utils.utcnow(), **kwargs)
def test_groups_log(self): ident_a = model.Identity.from_bytes('user:[email protected]') ident_b = model.Identity.from_bytes('user:[email protected]') glob_a = model.IdentityGlob.from_bytes('user:*@a.com') glob_b = model.IdentityGlob.from_bytes('user:*@b.com') @ndb.transactional def modify(name, commit=True, **kwargs): k = model.group_key(name) e = k.get() if not e: e = model.AuthGroup( key=k, created_by=ident_a, created_ts=utils.utcnow()) e.record_revision( modified_by=ident_a, modified_ts=utils.utcnow(), comment='Comment') e.populate(**kwargs) e.put() if commit: model.replicate_auth_db() @ndb.transactional def remove(name, commit=True): e = model.group_key(name).get() if e: e.record_deletion( modified_by=model.Identity.from_bytes('user:[email protected]'), modified_ts=utils.utcnow(), comment='Comment') e.key.delete() if commit: model.replicate_auth_db() modify('A', members=[]) modify('A', members=[ident_a], globs=[glob_a]) modify('B', members=[ident_b], globs=[glob_b]) modify('A', nested=['B']) @ndb.transactional def batch(): modify('B', commit=False, description='Blah') remove('A', commit=True) batch() modify('B', members=[ident_a, ident_b], globs=[glob_a, glob_b]) # Final state. self.assertIsNone(model.group_key('A').get()) self.assertEqual({ 'auth_db_rev': 6, 'auth_db_prev_rev': 5, 'created_by': model.Identity(kind='user', name='*****@*****.**'), 'created_ts': datetime.datetime(2015, 1, 1, 1, 1), 'description': u'Blah', 'globs': [ model.IdentityGlob(kind='user', pattern='*@a.com'), model.IdentityGlob(kind='user', pattern='*@b.com'), ], 'members': [ model.Identity(kind='user', name='*****@*****.**'), model.Identity(kind='user', name='*****@*****.**'), ], 'modified_by': model.Identity(kind='user', name='*****@*****.**'), 'modified_ts': datetime.datetime(2015, 1, 1, 1, 1), 'nested': [], 'owners': u'administrators', }, model.group_key('B').get().to_dict()) # Copies in the history. cpy = lambda name, rev: ndb.Key( 'Rev', rev, 'AuthGroupHistory', name, parent=model.root_key()) self.assertEqual({ cpy('A', 1): { 'auth_db_rev': 1, 'auth_db_prev_rev': None, 'auth_db_app_version': u'v1a', 'auth_db_deleted': False, 'auth_db_change_comment': u'Comment', 'created_by': model.Identity(kind='user', name='*****@*****.**'), 'created_ts': datetime.datetime(2015, 1, 1, 1, 1), 'description': u'', 'globs': [], 'members': [], 'modified_by': model.Identity(kind='user', name='*****@*****.**'), 'modified_ts': datetime.datetime(2015, 1, 1, 1, 1), 'nested': [], 'owners': u'administrators', }, cpy('A', 2): { 'auth_db_rev': 2, 'auth_db_prev_rev': 1, 'auth_db_app_version': u'v1a', 'auth_db_deleted': False, 'auth_db_change_comment': u'Comment', 'created_by': model.Identity(kind='user', name='*****@*****.**'), 'created_ts': datetime.datetime(2015, 1, 1, 1, 1), 'description': u'', 'globs': [glob_a], 'members': [ident_a], 'modified_by': model.Identity(kind='user', name='*****@*****.**'), 'modified_ts': datetime.datetime(2015, 1, 1, 1, 1), 'nested': [], 'owners': u'administrators', }, cpy('B', 3): { 'auth_db_rev': 3, 'auth_db_prev_rev': None, 'auth_db_app_version': u'v1a', 'auth_db_deleted': False, 'auth_db_change_comment': u'Comment', 'created_by': model.Identity(kind='user', name='*****@*****.**'), 'created_ts': datetime.datetime(2015, 1, 1, 1, 1), 'description': u'', 'globs': [glob_b], 'members': [ident_b], 'modified_by': model.Identity(kind='user', name='*****@*****.**'), 'modified_ts': datetime.datetime(2015, 1, 1, 1, 1), 'nested': [], 'owners': u'administrators', }, cpy('A', 4): { 'auth_db_rev': 4, 'auth_db_prev_rev': 2, 'auth_db_app_version': u'v1a', 'auth_db_deleted': False, 'auth_db_change_comment': u'Comment', 'created_by': model.Identity(kind='user', name='*****@*****.**'), 'created_ts': datetime.datetime(2015, 1, 1, 1, 1), 'description': u'', 'globs': [glob_a], 'members': [ident_a], 'modified_by': model.Identity(kind='user', name='*****@*****.**'), 'modified_ts': datetime.datetime(2015, 1, 1, 1, 1), 'nested': [u'B'], 'owners': u'administrators', }, # Batch revision. cpy('A', 5): { 'auth_db_rev': 5, 'auth_db_prev_rev': 4, 'auth_db_app_version': u'v1a', 'auth_db_deleted': True, 'auth_db_change_comment': u'Comment', 'created_by': model.Identity(kind='user', name='*****@*****.**'), 'created_ts': datetime.datetime(2015, 1, 1, 1, 1), 'description': u'', 'globs': [glob_a], 'members': [ident_a], 'modified_by': model.Identity(kind='user', name='*****@*****.**'), 'modified_ts': datetime.datetime(2015, 1, 1, 1, 1), 'nested': [u'B'], 'owners': u'administrators', }, cpy('B', 5): { 'auth_db_rev': 5, 'auth_db_prev_rev': 3, 'auth_db_app_version': u'v1a', 'auth_db_deleted': False, 'auth_db_change_comment': u'Comment', 'created_by': model.Identity(kind='user', name='*****@*****.**'), 'created_ts': datetime.datetime(2015, 1, 1, 1, 1), 'description': u'Blah', 'globs': [glob_b], 'members': [ident_b], 'modified_by': model.Identity(kind='user', name='*****@*****.**'), 'modified_ts': datetime.datetime(2015, 1, 1, 1, 1), 'nested': [], 'owners': u'administrators', }, # /end of batch revision cpy('B', 6): { 'auth_db_rev': 6, 'auth_db_prev_rev': 5, 'auth_db_app_version': u'v1a', 'auth_db_deleted': False, 'auth_db_change_comment': u'Comment', 'created_by': model.Identity(kind='user', name='*****@*****.**'), 'created_ts': datetime.datetime(2015, 1, 1, 1, 1), 'description': u'Blah', 'globs': [glob_a, glob_b], 'members': [ident_a, ident_b], 'modified_by': model.Identity(kind='user', name='*****@*****.**'), 'modified_ts': datetime.datetime(2015, 1, 1, 1, 1), 'nested': [], 'owners': u'administrators', }, }, self.grab_log(model.AuthGroup))
def group(name, **kwargs): return model.AuthGroup(key=model.group_key(name), **kwargs)
def delete(): g = model.group_key('A group').get() g.record_deletion(modified_by=ident('*****@*****.**'), modified_ts=utils.utcnow(), comment='Deleted') g.key.delete()