def _setup_service_account_to_google_bucket_access_group(db_session): """ Setup some testing data. """ cloud_provider = CloudProvider( name="test_provider", endpoint="https://test.com", backend="test_backend", description="description", service="service", ) db_session.add(cloud_provider) db_session.add( UserServiceAccount( google_unique_id="test_id1", email="*****@*****.**", google_project_id="efewf444", ) ) db_session.add( UserServiceAccount( google_unique_id="test_id2", email="*****@*****.**", google_project_id="edfwf444", ) ) db_session.commit() bucket1 = Bucket(name="test_bucket1", provider_id=cloud_provider.id) db_session.add(bucket1) db_session.commit() db_session.add( GoogleBucketAccessGroup( bucket_id=bucket1.id, email="*****@*****.**", privileges=["read-storage", "write-storage"], ) ) db_session.add( GoogleBucketAccessGroup( bucket_id=bucket1.id, email="*****@*****.**", privileges=["read-storage"], ) ) db_session.commit()
def _create_google_bucket_access_group( db_session, google_bucket_name, bucket_db_id, google_project_id, privileges ): access_group = None prefix = config.get("GOOGLE_GROUP_PREFIX", "") # use default creds for creating group and iam policies with GoogleCloudManager(google_project_id) as g_mgr: # create bucket access group result = g_mgr.create_group( name=prefix + "_" + google_bucket_name + "_" + "_".join(privileges) + "_gbag" ) group_email = result["email"] # add bucket group to db access_group = ( db_session.query(GoogleBucketAccessGroup) .filter_by(bucket_id=bucket_db_id, email=group_email) .first() ) if not access_group: access_group = GoogleBucketAccessGroup( bucket_id=bucket_db_id, email=group_email, privileges=privileges ) db_session.add(access_group) db_session.commit() return access_group
def test_google_bucket_access_denied_new_proxy_group( app, google_storage_client_mocker, client, cloud_manager, db_session, encoded_jwt_no_proxy_group, monkeypatch, ): monkeypatch.setitem(config, "MOCK_AUTH", False) user_id = encoded_jwt_no_proxy_group["user_id"] proj = Project(id=129, name="test_proj") ap = AccessPrivilege(user_id=user_id, project_id=proj.id, privilege=["read-storage"]) cloud = CloudProvider(id=129, name="google") bucket = Bucket(id=129, provider_id=cloud.id) gbag = GoogleBucketAccessGroup(id=129, bucket_id=bucket.id, email="*****@*****.**", privileges=["write"]) ptob = ProjectToBucket(id=129, project_id=proj.id, bucket_id=bucket.id) sa = StorageAccess(project_id=proj.id, provider_id=cloud.id) db_session.add(proj) db_session.add(ap) db_session.add(cloud) db_session.add(bucket) db_session.add(gbag) db_session.add(ptob) db_session.add(sa) db_session.commit() encoded_credentials_jwt = encoded_jwt_no_proxy_group["jwt"] new_service_account = { "uniqueId": "987654321", "email": "*****@*****.**", "projectId": "1", } new_proxy_group = {"id": "123456789", "email": "*****@*****.**"} path = "/credentials/google/" data = {} # return new service account (cloud_manager.return_value.__enter__.return_value. create_service_account_for_proxy_group.return_value) = new_service_account (cloud_manager.return_value.__enter__.return_value. create_proxy_group_for_user.return_value) = new_proxy_group response = client.post( path, data=data, headers={"Authorization": "Bearer " + encoded_credentials_jwt}) assert google_storage_client_mocker.delete_bucket_acl.called is True assert response.status_code == 200
def test_google_bucket_access_existing_proxy_group( app, google_storage_client_mocker, client, cloud_manager, db_session, encoded_creds_jwt, monkeypatch, ): monkeypatch.setitem(app.config, "MOCK_AUTH", False) user_id = encoded_creds_jwt["user_id"] client_id = encoded_creds_jwt["client_id"] service_account_id = "123456789" path = "/credentials/google/" proj = Project(id=129, name="test_proj") ap = AccessPrivilege( user_id=user_id, project_id=proj.id, privilege=["write-storage"] ) cloud = CloudProvider(id=129, name="google") bucket = Bucket(id=129, provider_id=cloud.id) gbag = GoogleBucketAccessGroup( id=129, bucket_id=bucket.id, email="*****@*****.**", privileges=["write"] ) ptob = ProjectToBucket(id=129, project_id=proj.id, bucket_id=bucket.id) sa = StorageAccess(project_id=proj.id, provider_id=cloud.id) service_account = GoogleServiceAccount( google_unique_id=service_account_id, client_id=client_id, user_id=user_id, email=(client_id + "-" + str(user_id) + "@test.com"), google_project_id="projectId-0", ) db_session.add(service_account) db_session.commit() db_session.add(proj) db_session.add(ap) db_session.add(cloud) db_session.add(bucket) db_session.add(gbag) db_session.add(ptob) db_session.add(sa) db_session.add(service_account) db_session.commit() encoded_credentials_jwt = encoded_creds_jwt["jwt"] path = "/credentials/google/" data = {} response = client.post( path, data=data, headers={"Authorization": "Bearer " + encoded_credentials_jwt} ) assert google_storage_client_mocker.add_bucket_acl.called is False assert response.status_code == 200
def test_patch_service_account_valid_limit( client, app, db_session, encoded_jwt_service_accounts_access, register_user_service_account, user_can_manage_service_account_mock, valid_user_service_account_mock, revoke_user_service_account_from_google_mock, add_user_service_account_to_google_mock, ): """ Test that patching with new project_access returns 204 when SERVICE_ACCOUNT_LIMIT number of projects is registered. """ encoded_creds_jwt = encoded_jwt_service_accounts_access["jwt"] service_account = register_user_service_account["service_account"] project_access = [] n_projects = config["SERVICE_ACCOUNT_LIMIT"] for i in range(n_projects): project = Project(id=i, auth_id="auth_id_{}".format(i)) bucket = Bucket(id=i) db_session.add(project) db_session.add(bucket) db_session.commit() project_to_bucket = ProjectToBucket(project_id=i, bucket_id=i) db_session.add(project_to_bucket) db_session.commit() gbag = GoogleBucketAccessGroup(id=i, bucket_id=i, email="*****@*****.**") db_session.add(gbag) db_session.commit() project_access.append("auth_id_{}".format(i)) response = client.patch( "/google/service_accounts/{}".format(quote(service_account.email)), headers={"Authorization": "Bearer " + encoded_creds_jwt}, content_type="application/json", data=json.dumps({"project_access": project_access}), ) assert response.status_code == 204 service_account_accesses = ( db_session.query(ServiceAccountToGoogleBucketAccessGroup).filter_by( service_account_id=service_account.id)).all() assert len(service_account_accesses) == config["SERVICE_ACCOUNT_LIMIT"]
def test_service_account_relationsips(db_session): """ test service account tables have proper relationships/fields """ project = Project(id=1) bucket = Bucket(id=1) user_sa = UserServiceAccount( id=1, google_unique_id="guid", email="*****@*****.**", google_project_id="gpid", ) sa_access_privilege = ServiceAccountAccessPrivilege(id=1, project_id=1, service_account_id=1) gbag = GoogleBucketAccessGroup(id=1, bucket_id=1, email="*****@*****.**") sa_to_gbag = ServiceAccountToGoogleBucketAccessGroup(id=1, service_account_id=1, expires=0, access_group_id=1) db_session.add(project) db_session.add(bucket) db_session.add(user_sa) db_session.add(sa_access_privilege) db_session.add(gbag) db_session.add(sa_to_gbag) db_session.commit() assert project.sa_access_privileges[ 0].__class__ == ServiceAccountAccessPrivilege assert project.sa_access_privileges[0].id == 1 assert sa_access_privilege.project.__class__ == Project assert sa_access_privilege.project.id == 1 assert sa_access_privilege.service_account.__class__ == UserServiceAccount assert sa_access_privilege.service_account.id == 1 assert user_sa.access_privileges[ 0].__class__ == ServiceAccountAccessPrivilege assert user_sa.access_privileges[0].id == 1 assert (user_sa.to_access_groups[0].__class__ == ServiceAccountToGoogleBucketAccessGroup) assert user_sa.to_access_groups[0].id == 1 assert sa_to_gbag.service_account.__class__ == UserServiceAccount assert sa_to_gbag.service_account.id == 1 assert sa_to_gbag.access_group.__class__ == GoogleBucketAccessGroup assert sa_to_gbag.access_group.id == 1 assert gbag.to_access_groups[ 0].__class__ == ServiceAccountToGoogleBucketAccessGroup assert gbag.to_access_groups[0].id == 1
def _create_google_bucket_access_group(db_session, google_bucket_name, bucket_db_id, google_project_id, privileges): access_group = None # use default creds for creating group and iam policies with GoogleCloudManager(google_project_id) as g_mgr: # create bucket access group result = g_mgr.create_group(name=google_bucket_name + "_" + "_".join(privileges) + "_gbag") group_email = result["email"] # add bucket group to db access_group = GoogleBucketAccessGroup(bucket_id=bucket_db_id, email=group_email, privileges=privileges) db_session.add(access_group) db_session.commit() return access_group
def load_google_specific_user_data(db_session, test_user_d): """Add Google-specific user data to Fence db.""" gpg = GoogleProxyGroup(id=userd_dict["gpg_id"], email=userd_dict["gpg_email"]) gsak = GoogleServiceAccountKey( id=userd_dict["gsak_id"], key_id=userd_dict["gsak_key_id"], service_account_id=userd_dict["gsa_id"], ) gsa = GoogleServiceAccount( id=userd_dict["gsa_id"], google_unique_id="d_gui", user_id=userd_dict["user_id"], google_project_id="d_gpid", email=userd_dict["gsa_email"], ) bkt = Bucket(id=userd_dict["bucket_id"]) gbag = GoogleBucketAccessGroup( id=userd_dict["gbag_id"], bucket_id=userd_dict["bucket_id"], email=userd_dict["gbag_email"], ) gpg_gbag = GoogleProxyGroupToGoogleBucketAccessGroup( id=userd_dict["gpg_to_gbag_id"], proxy_group_id=userd_dict["gpg_id"], access_group_id=userd_dict["gbag_id"], ) uga = UserGoogleAccount( id=userd_dict["uga_id"], email=userd_dict["uga_email"], user_id=userd_dict["user_id"], ) uga_pg = UserGoogleAccountToProxyGroup( user_google_account_id=userd_dict["uga_id"], proxy_group_id=userd_dict["gpg_id"]) db_session.add_all([gpg, gsak, gsa, bkt, gbag, gpg_gbag, uga, uga_pg]) user = (db_session.query(User).filter_by( username=userd_dict["user_username"]).first()) user.google_proxy_group_id = userd_dict["gpg_id"] db_session.commit()
def test_register_service_account_already_exists( app, db_session, client, encoded_jwt_service_accounts_access, cloud_manager, valid_google_project_patcher, valid_service_account_patcher, ): project = Project(id=1, auth_id="some_auth_id") bucket = Bucket(id=1) db_session.add(project) db_session.add(bucket) db_session.commit() project_to_bucket = ProjectToBucket(project_id=1, bucket_id=1) db_session.add(project_to_bucket) db_session.commit() gbag = GoogleBucketAccessGroup(id=1, bucket_id=1, email="*****@*****.**") db_session.add(gbag) db_session.commit() encoded_creds_jwt = encoded_jwt_service_accounts_access["jwt"] project_access = ["some_auth_id"] valid_service_account = { "service_account_email": "*****@*****.**", "google_project_id": "project-id", "project_access": project_access, } (cloud_manager.return_value.__enter__.return_value.get_service_account. return_value) = { "uniqueId": "sa_unique_id", "email": "*****@*****.**" } (cloud_manager.return_value.__enter__.return_value.add_member_to_group. return_value) = { "email": "*****@*****.**" } response = client.post( "/google/service_accounts", headers={"Authorization": "Bearer " + encoded_creds_jwt}, data=json.dumps(valid_service_account), content_type="application/json", ) assert response.status_code == 200 response = client.post( "/google/service_accounts", headers={"Authorization": "Bearer " + encoded_creds_jwt}, data=json.dumps(valid_service_account), content_type="application/json", ) assert response.status_code == 400 assert response.json["errors"]["service_account_email"]["status"] == 409 assert len(db_session.query(UserServiceAccount).all()) == 1 assert len(db_session.query(ServiceAccountAccessPrivilege).all()) == 1 assert len( db_session.query(ServiceAccountToGoogleBucketAccessGroup).all()) == 1
def test_service_account_registration_expires_in( app, db_session, client, encoded_jwt_service_accounts_access, cloud_manager, valid_google_project_patcher, valid_service_account_patcher, ): """ Test that a service account registration with a valid expires_in is successful, and that a registration with an invalid expires_in is not. """ project = Project(id=1, auth_id="some_auth_id") bucket = Bucket(id=1) db_session.add(project) db_session.add(bucket) db_session.commit() project_to_bucket = ProjectToBucket(project_id=1, bucket_id=1) db_session.add(project_to_bucket) db_session.commit() gbag = GoogleBucketAccessGroup(id=1, bucket_id=1, email="*****@*****.**") db_session.add(gbag) db_session.commit() encoded_creds_jwt = encoded_jwt_service_accounts_access["jwt"] project_access = ["some_auth_id"] valid_service_account = { "service_account_email": "*****@*****.**", "google_project_id": "project-id", "project_access": project_access, } (cloud_manager.return_value.__enter__.return_value.get_service_account. return_value) = { "uniqueId": "sa_unique_id", "email": "*****@*****.**" } (cloud_manager.return_value.__enter__.return_value.add_member_to_group. return_value) = { "email": "*****@*****.**" } assert len(db_session.query(UserServiceAccount).all()) == 0 assert len(db_session.query(ServiceAccountAccessPrivilege).all()) == 0 assert len( db_session.query(ServiceAccountToGoogleBucketAccessGroup).all()) == 0 # valid expires_in: should succeed requested_exp = 60 response = client.post( "/google/service_accounts?expires_in={}".format(requested_exp), headers={"Authorization": "Bearer " + encoded_creds_jwt}, data=json.dumps(valid_service_account), content_type="application/json", ) assert response.status_code == 200 # check if success assert len(db_session.query(UserServiceAccount).all()) == 1 assert len(db_session.query(ServiceAccountAccessPrivilege).all()) == 1 sa_to_bucket_entries = db_session.query( ServiceAccountToGoogleBucketAccessGroup).all() assert len(sa_to_bucket_entries) == 1 # make sure the access was granted for the requested time # (allow up to 2 sec for runtime) diff = sa_to_bucket_entries[0].expires - int(time.time()) assert requested_exp - 2 <= diff <= requested_exp # invalid expires_in: should fail requested_exp = "abc" # expires_in must be int >0 response = client.post( "/google/service_accounts?expires_in={}".format(requested_exp), headers={"Authorization": "Bearer " + encoded_creds_jwt}, data=json.dumps(valid_service_account), content_type="application/json", ) assert response.status_code == 400 # check if failure
def test_valid_service_account_registration_multiple_service_accounts( app, db_session, client, encoded_jwt_service_accounts_access, cloud_manager, valid_google_project_patcher, valid_service_account_patcher, ): """ Test that a valid service account registration request returns 200 and succesfully creates entries in database when the Google project has both another valid service account in the project and a Google-managed system service account. """ proj_patcher = valid_google_project_patcher project = Project(id=1, auth_id="some_auth_id") bucket = Bucket(id=1) db_session.add(project) db_session.add(bucket) db_session.commit() project_to_bucket = ProjectToBucket(project_id=1, bucket_id=1) db_session.add(project_to_bucket) db_session.commit() gbag = GoogleBucketAccessGroup(id=1, bucket_id=1, email="*****@*****.**") db_session.add(gbag) db_session.commit() google_project_id = "project-id" encoded_creds_jwt = encoded_jwt_service_accounts_access["jwt"] project_access = ["some_auth_id"] proj_patcher["get_service_account_ids_from_google_members"].return_value = [ "test-{}@test.com".format(google_project_id), "{}@compute-system.iam.gserviceaccount.com".format(google_project_id), ] valid_service_account = { "service_account_email": "*****@*****.**", "google_project_id": google_project_id, "project_access": project_access, } (cloud_manager.return_value.__enter__.return_value.get_service_account. return_value) = { "uniqueId": "sa_unique_id", "email": "*****@*****.**" } (cloud_manager.return_value.__enter__.return_value.add_member_to_group. return_value) = { "email": "*****@*****.**" } assert len(db_session.query(UserServiceAccount).all()) == 0 assert len(db_session.query(ServiceAccountAccessPrivilege).all()) == 0 assert len( db_session.query(ServiceAccountToGoogleBucketAccessGroup).all()) == 0 response = client.post( "/google/service_accounts", headers={"Authorization": "Bearer " + encoded_creds_jwt}, data=json.dumps(valid_service_account), content_type="application/json", ) assert response.status_code == 200 assert len(db_session.query(UserServiceAccount).all()) == 1 assert len(db_session.query(ServiceAccountAccessPrivilege).all()) == 1 assert len( db_session.query(ServiceAccountToGoogleBucketAccessGroup).all()) == 1
def test_invalid_project_limit_service_account_registration( app, db_session, client, encoded_jwt_service_accounts_access, cloud_manager, valid_google_project_patcher, ): """ Test that we get a 400 when there are SERVICE_ACCOUNT_LIMIT + 1 number of projects and the databse isn't updated. """ proj_patcher = valid_google_project_patcher project_access = [] n_projects = config["SERVICE_ACCOUNT_LIMIT"] + 1 for i in range(n_projects): project = Project(id=i, auth_id="auth_id_{}".format(i)) bucket = Bucket(id=i) db_session.add(project) db_session.add(bucket) db_session.commit() project_to_bucket = ProjectToBucket(project_id=i, bucket_id=i) db_session.add(project_to_bucket) db_session.commit() gbag = GoogleBucketAccessGroup(id=i, bucket_id=i, email="*****@*****.**") db_session.add(gbag) db_session.commit() project_access.append("auth_id_{}".format(i)) google_project_id = "project-id" encoded_creds_jwt = encoded_jwt_service_accounts_access["jwt"] proj_patcher["get_service_account_ids_from_google_members"].return_value = [ "test-{}@test.com".format(google_project_id), "{}@compute-system.iam.gserviceaccount.com".format(google_project_id), ] valid_service_account = { "service_account_email": "*****@*****.**", "google_project_id": google_project_id, "project_access": project_access, } (cloud_manager.return_value.__enter__.return_value.get_service_account. return_value) = { "uniqueId": "sa_unique_id", "email": "*****@*****.**" } (cloud_manager.return_value.__enter__.return_value.add_member_to_group. return_value) = { "email": "*****@*****.**" } assert len(db_session.query(UserServiceAccount).all()) == 0 assert len(db_session.query(ServiceAccountAccessPrivilege).all()) == 0 assert len( db_session.query(ServiceAccountToGoogleBucketAccessGroup).all()) == 0 response = client.post( "/google/service_accounts", headers={"Authorization": "Bearer " + encoded_creds_jwt}, data=json.dumps(valid_service_account), content_type="application/json", ) assert response.status_code == 400 assert len(db_session.query(UserServiceAccount).all()) == 0 assert len(db_session.query(ServiceAccountAccessPrivilege).all()) == 0 assert len( db_session.query(ServiceAccountToGoogleBucketAccessGroup).all()) == 0
def setup_data(db_session): cp = CloudProvider(name="test", endpoint="http://test.endpt") user = UserServiceAccount( google_unique_id="test_id", email="*****@*****.**", google_project_id="test" ) user_1 = UserServiceAccount( google_unique_id="test_id", email="*****@*****.**", google_project_id="test" ) user_2 = UserServiceAccount( google_unique_id="test_id", email="*****@*****.**", google_project_id="test" ) user_3 = UserServiceAccount( google_unique_id="test_id", email="*****@*****.**", google_project_id="test" ) db_session.add(user) db_session.add(user_1) db_session.add(user_2) db_session.add(user_3) db_session.add(cp) db_session.commit() bucket = Bucket(name="bucket1", provider_id=cp.id) bucket2 = Bucket(name="bucket2", provider_id=cp.id) bucket3 = Bucket(name="bucket3", provider_id=cp.id) db_session.add(bucket) db_session.add(bucket2) db_session.add(bucket3) db_session.commit() project1 = Project(name="test_1", auth_id="test_auth_1") project2 = Project(name="test_2", auth_id="test_auth_2") project3 = Project(name="test_3", auth_id="test_auth_3") db_session.add(project1) db_session.add(project2) db_session.add(project3) db_session.commit() db_session.add(ProjectToBucket(project_id=project1.id, bucket_id=bucket.id)) db_session.add(ProjectToBucket(project_id=project2.id, bucket_id=bucket2.id)) db_session.add(ProjectToBucket(project_id=project3.id, bucket_id=bucket3.id)) db_session.add( ServiceAccountAccessPrivilege( project_id=project1.id, service_account_id=user.id ) ) db_session.add( ServiceAccountAccessPrivilege( project_id=project2.id, service_account_id=user.id ) ) db_session.add( ServiceAccountAccessPrivilege( project_id=project1.id, service_account_id=user_1.id ) ) db_session.add( ServiceAccountAccessPrivilege( project_id=project1.id, service_account_id=user_2.id ) ) db_session.add( ServiceAccountAccessPrivilege( project_id=project1.id, service_account_id=user_3.id ) ) access_grp = GoogleBucketAccessGroup( bucket_id=bucket.id, email="*****@*****.**" ) access_grp2 = GoogleBucketAccessGroup( bucket_id=bucket2.id, email="*****@*****.**" ) access_grp3 = GoogleBucketAccessGroup( bucket_id=bucket3.id, email="*****@*****.**" ) db_session.add(access_grp) db_session.add(access_grp2) db_session.add(access_grp3) db_session.commit() service_account_grp1 = ServiceAccountToGoogleBucketAccessGroup( service_account_id=user.id, access_group_id=access_grp.id ) service_account_grp2 = ServiceAccountToGoogleBucketAccessGroup( service_account_id=user.id, access_group_id=access_grp2.id ) db_session.add(service_account_grp1) db_session.add(service_account_grp2) db_session.commit()
def register_user_service_account(db_session): cp = db_session.query(CloudProvider).filter_by(name="test").first() if not cp: cp = CloudProvider(name="test", endpoint="http://test.endpt") db_session.add(cp) db_session.commit() bucket1 = db_session.query(Bucket).filter_by(name="bucket1").first() if not bucket1: bucket1 = Bucket(name="bucket1", provider_id=cp.id) db_session.add(bucket1) db_session.commit() bucket2 = db_session.query(Bucket).filter_by(name="bucket2").first() if not bucket2: bucket2 = Bucket(name="bucket2", provider_id=cp.id) db_session.add(bucket2) db_session.commit() project1 = db_session.query(Project).filter_by(name="test_1").first() if not project1: project1 = Project(name="test_1", auth_id="test_auth_1") db_session.add(project1) db_session.commit() project2 = db_session.query(Project).filter_by(name="test_2").first() if not project2: project2 = Project(name="test_2", auth_id="test_auth_2") db_session.add(project2) db_session.commit() access_grp1 = ( db_session.query(GoogleBucketAccessGroup) .filter_by(email="*****@*****.**") .first() ) if not access_grp1: access_grp1 = GoogleBucketAccessGroup( bucket_id=bucket1.id, email="*****@*****.**" ) db_session.add(access_grp1) db_session.commit() access_grp2 = ( db_session.query(GoogleBucketAccessGroup) .filter_by(email="*****@*****.**") .first() ) if not access_grp2: access_grp2 = GoogleBucketAccessGroup( bucket_id=bucket2.id, email="*****@*****.**" ) db_session.add(access_grp2) db_session.commit() project_to_bucket1 = ( db_session.query(ProjectToBucket).filter_by(project_id=project1.id).first() ) if not project_to_bucket1: project_to_bucket1 = ProjectToBucket( project_id=project1.id, bucket_id=bucket1.id ) db_session.add(project_to_bucket1) db_session.commit() project_to_bucket2 = ( db_session.query(ProjectToBucket).filter_by(project_id=project2.id).first() ) if not project_to_bucket2: project_to_bucket2 = ProjectToBucket( project_id=project2.id, bucket_id=bucket2.id ) db_session.add(project_to_bucket2) db_session.commit() # new service account each time this is called random_string = "".join( random.choice(string.ascii_uppercase + string.digits) for _ in range(6) ) user = UserServiceAccount( google_unique_id="{}".format(random_string), email="{}@test.iam.gserviceaccount.com".format(random_string), google_project_id="test", ) db_session.add(user) db_session.commit() db_session.add( ServiceAccountAccessPrivilege( project_id=project1.id, service_account_id=user.id ) ) db_session.add( ServiceAccountAccessPrivilege( project_id=project2.id, service_account_id=user.id ) ) # expiration set to 0 for testing that it gets set current_time = 0 service_account_grp1 = ServiceAccountToGoogleBucketAccessGroup( service_account_id=user.id, access_group_id=access_grp1.id, expires=current_time ) service_account_grp2 = ServiceAccountToGoogleBucketAccessGroup( service_account_id=user.id, access_group_id=access_grp2.id, expires=current_time ) db_session.add(service_account_grp1) db_session.add(service_account_grp2) db_session.commit() return { "service_account": user, "projects": [project1, project2], "buckets": [bucket1, bucket2], "bucket_access_groups": [access_grp1, access_grp2], }
def test_google_bucket_access_existing_proxy_group( app, google_storage_client_mocker, client, cloud_manager, db_session, encoded_creds_jwt, monkeypatch, ): monkeypatch.setitem(config, "MOCK_AUTH", False) user_id = encoded_creds_jwt["user_id"] client_id = encoded_creds_jwt["client_id"] service_account_id = "123456789" path = "/credentials/google/" proj = Project(id=129, name="test_proj") ap = AccessPrivilege(user_id=user_id, project_id=proj.id, privilege=["write-storage"]) cloud = CloudProvider(id=129, name="google") bucket = Bucket(id=129, provider_id=cloud.id) gbag = GoogleBucketAccessGroup(id=129, bucket_id=bucket.id, email="*****@*****.**", privileges=["write"]) ptob = ProjectToBucket(id=129, project_id=proj.id, bucket_id=bucket.id) sa = StorageAccess(project_id=proj.id, provider_id=cloud.id) service_account = GoogleServiceAccount( google_unique_id=service_account_id, client_id=client_id, user_id=user_id, email=(client_id + "-" + str(user_id) + "@test.com"), google_project_id="projectId-0", ) db_session.add(service_account) db_session.commit() db_session.add(proj) db_session.add(ap) db_session.add(cloud) db_session.add(bucket) db_session.add(gbag) db_session.add(ptob) db_session.add(sa) db_session.add(service_account) db_session.commit() # make function return the service account we created and don't try to update db # since we already did it in the test mock = MagicMock() mock.return_value = service_account patch("fence.resources.google.utils.get_or_create_service_account", mock).start() patch("fence.resources.google.utils._update_service_account_db_entry", mock).start() encoded_credentials_jwt = encoded_creds_jwt["jwt"] path = "/credentials/google/" data = {} response = client.post( path, data=data, headers={"Authorization": "Bearer " + encoded_credentials_jwt}) assert google_storage_client_mocker.add_bucket_acl.called is False assert response.status_code == 200
def invalid_service_account_not_exist(db_session): invalid_service_account = "*****@*****.**" user = UserServiceAccount( google_unique_id="invalid_test_id", email=invalid_service_account, google_project_id="test", ) db_session.add(user) db_session.commit() cp = db_session.query(CloudProvider).filter_by(name="test").first() if not cp: cp = CloudProvider(name="test", endpoint="http://test.endpt") db_session.add(cp) db_session.commit() bucket1 = db_session.query(Bucket).filter_by(name="bucket1").first() if not bucket1: bucket1 = Bucket(name="bucket1", provider_id=cp.id) db_session.add(bucket1) db_session.commit() project1 = db_session.query(Project).filter_by(name="test_1").first() if not project1: project1 = Project(name="test_1", auth_id="test_auth_1") db_session.add(project1) db_session.commit() access_grp1 = ( db_session.query(GoogleBucketAccessGroup) .filter_by(email="*****@*****.**") .first() ) if not access_grp1: access_grp1 = GoogleBucketAccessGroup( bucket_id=bucket1.id, email="*****@*****.**" ) db_session.add(access_grp1) db_session.commit() db_session.add( ServiceAccountAccessPrivilege( project_id=project1.id, service_account_id=user.id ) ) db_session.commit() # expiration set to 0 for testing that it gets set current_time = 0 service_account_grp1 = ServiceAccountToGoogleBucketAccessGroup( service_account_id=user.id, access_group_id=access_grp1.id, expires=current_time ) db_session.add(service_account_grp1) db_session.commit() def mock_is_valid(sa_email, *args, **kwargs): if sa_email == invalid_service_account: validity = GoogleServiceAccountValidity("account_id", "project_id") # set overall validity to False # set policy_accessible to False so the SA is removed from the DB validity["policy_accessible"] = False validity._valid = False return validity return True patcher = patch( "fence.scripting.google_monitor._is_valid_service_account", mock_is_valid ) patcher.start() yield { "service_account": user, "projects": [project1], "bucket_access_groups": [access_grp1], } patcher.stop()
def _setup_google_access(db_session, access_1_expires=None, access_2_expires=None): """ Setup some testing data. Args: access_1_expires (str, optional): expiration for the Proxy Group -> Google Bucket Access Group for user 1, defaults to None access_2_expires (str, optional): expiration for the Proxy Group -> Google Bucket Access Group for user 2, defaults to None """ cloud_provider = CloudProvider( name="test_provider", endpoint="https://test.com", backend="test_backend", description="description", service="service", ) db_session.add(cloud_provider) db_session.add( UserServiceAccount( google_unique_id="test_id1", email="*****@*****.**", google_project_id="efewf444", )) db_session.add( UserServiceAccount( google_unique_id="test_id2", email="*****@*****.**", google_project_id="edfwf444", )) db_session.commit() bucket1 = Bucket(name="test_bucket1", provider_id=cloud_provider.id) db_session.add(bucket1) db_session.commit() gpg1 = GoogleProxyGroup(id=1, email="*****@*****.**") gpg2 = GoogleProxyGroup(id=2, email="*****@*****.**") db_session.add(gpg1) db_session.add(gpg2) db_session.commit() gbag1 = GoogleBucketAccessGroup( bucket_id=bucket1.id, email="*****@*****.**", privileges=["read-storage", "write-storage"], ) gbag2 = GoogleBucketAccessGroup( bucket_id=bucket1.id, email="*****@*****.**", privileges=["read-storage"], ) db_session.add(gbag1) db_session.add(gbag2) db_session.commit() db_session.add( GoogleProxyGroupToGoogleBucketAccessGroup(proxy_group_id=gpg1.id, access_group_id=gbag1.id, expires=access_1_expires)) db_session.add( GoogleProxyGroupToGoogleBucketAccessGroup(proxy_group_id=gpg2.id, access_group_id=gbag2.id, expires=access_2_expires)) db_session.commit() return {"google_proxy_group_ids": {"1": gpg1.id, "2": gpg2.id}}
def setup_test_data(db_session): cp = CloudProvider(name="test", endpoint="http://test.endpt") proxy_group_list = [ { "id": "group1", "email": "*****@*****.**" }, { "id": "group2", "email": "*****@*****.**" }, ] user_account_list = [ { "google_unique_id": "test_id1", "email": "*****@*****.**", "google_project_id": "test", }, { "google_unique_id": "test_id2", "email": "*****@*****.**", "google_project_id": "test", }, ] proxy_groups = [] for group in proxy_group_list: proxy_groups.append(GoogleProxyGroup(**group)) db_session.add(proxy_groups[-1]) user_service_accounts = [] for user in user_account_list: user_service_accounts.append(UserServiceAccount(**user)) db_session.add(user_service_accounts[-1]) db_session.commit() bucket1 = Bucket(name="bucket1", provider_id=cp.id) bucket2 = Bucket(name="bucket2", provider_id=cp.id) bucket3 = Bucket(name="bucket3", provider_id=cp.id) db_session.add(bucket1) db_session.add(bucket2) db_session.add(bucket3) db_session.commit() access_grp1 = GoogleBucketAccessGroup(bucket_id=bucket1.id, email="*****@*****.**") db_session.add(access_grp1) db_session.commit() db_session.add( GoogleProxyGroupToGoogleBucketAccessGroup( proxy_group_id=proxy_groups[0].id, access_group_id=access_grp1.id)) db_session.add( ServiceAccountToGoogleBucketAccessGroup( service_account_id=user_service_accounts[0].id, access_group_id=access_grp1.id, )) db_session.commit()