def test_google_delete_invalid_access_token(app, client, oauth_client, cloud_manager, db_session): """ Test ``DELETE /credentials/google``. """ client_id = oauth_client["client_id"] service_account_key = "some_key_321" service_account_id = "123456789" proxy_group_id = "proxy_group_0" path = ("/credentials/google/" + service_account_key + "/") def get_account_keys(*args, **kwargs): # Return the keys only if the correct account is given if args[0] == service_account_id: # Return two keys, NEITHER are the key we want to delete return [{ "name": "project/service_accounts/keys/voyager" }, { "name": "project/service_accounts/keys/deep-space-nine" }] else: return [] (cloud_manager.return_value.__enter__.return_value. get_service_account_keys_info.side_effect) = get_account_keys with app.test_client() as app_client: # set global client context flask.g.client_id = client_id # get test user info user = (db_session.query(User).filter_by(username="******").first()) user_id = user.id # create a proxy group for user proxy_group = GoogleProxyGroup( id=proxy_group_id, user_id=user_id, ) db_session.add(proxy_group) # create a service account for client for user service_account = GoogleServiceAccount( google_unique_id=service_account_id, client_id=client_id, user_id=user_id, email=(client_id + "-" + str(user_id) + "@test.com")) db_session.add(user) db_session.add(service_account) db_session.commit() response = app_client.delete(path, data={}) # check that we didn't try to delete, since the key doesn't exist assert (cloud_manager.return_value.__enter__.return_value. delete_service_account_key).called is False assert response.status_code == 404
def test_google_access_token_new_service_account(app, oauth_client, db_session, cloud_manager): """ Test that ``POST /credentials/google`` creates a new service account for the user if one doesn't exist. """ _populate_test_identity(db_session, name=IdentityProvider.itrust) client_id = oauth_client['client_id'] new_service_account = { 'uniqueId': '987654321', 'email': '*****@*****.**' } proxy_group_id = 'proxy_group_0' path = '/credentials/google/' # return new service account (cloud_manager.return_value.__enter__.return_value. create_service_account_for_proxy_group.return_value) = new_service_account with app.test_client() as app_client: # set global client context flask.g.client_id = client_id service_accounts_before = ( db_session.query(GoogleServiceAccount).filter_by( client_id=client_id)).count() # get test user info user = (db_session.query(User).filter_by(username='******').first()) user_id = user.id # create a proxy group for user proxy_group = GoogleProxyGroup( id=proxy_group_id, user_id=user_id, ) db_session.add(user) db_session.add(proxy_group) db_session.commit() response = app_client.post(path) service_accounts_after = ( db_session.query(GoogleServiceAccount).filter_by( client_id=client_id)).count() # make sure we created a new service account for the user's proxy # group and added it to the db assert (cloud_manager.return_value.__enter__.return_value. create_service_account_for_proxy_group).called assert service_accounts_after == service_accounts_before + 1 assert response.status_code == 200
def test_google_attempt_delete_unowned_access_token(app, client, oauth_client, cloud_manager, db_session): """ Test ``DELETE /credentials/google``. """ client_id = oauth_client["client_id"] service_account_key = "some_key_321" proxy_group_id = "proxy_group_0" path = ("/credentials/google/" + service_account_key + "/") with app.test_client() as app_client: # set global client context flask.g.client_id = client_id # get test user info user = (db_session.query(User).filter_by(username="******").first()) user_id = user.id # create a proxy group for user proxy_group = GoogleProxyGroup( id=proxy_group_id, user_id=user_id, ) db_session.add(proxy_group) # create a service account for A DIFFERENT CLIENT client = Client( client_id="NOT_THIS_GUY", client_secret="a0987u23on192y", name="NOT_THIS_GUY", ) service_account = GoogleServiceAccount( google_unique_id="123456789", client_id="NOT_THIS_GUY", user_id=user_id, email=("NOT_THIS_GUY" + "-" + str(user_id) + "@test.com")) db_session.add(user) db_session.add(client) db_session.add(service_account) db_session.commit() response = app_client.delete(path, data={}) # check that we didn't try to get key info or delete, # since the current user/client doesn't have the key assert (cloud_manager.return_value.__enter__.return_value. get_service_account_keys_info).called is False assert (cloud_manager.return_value.__enter__.return_value. delete_service_account_key).called is False assert response.status_code == 404
def test_google_create_access_token_post(app, oauth_client, cloud_manager, db_session): """ Test ``POST /credentials/google`` gets a new access key. """ client_id = oauth_client['client_id'] service_account_id = '123456789' proxy_group_id = 'proxy_group_0' path = '/credentials/google/' data = {} with app.test_client() as app_client: # set global client context flask.g.client_id = client_id # get test user info user = (db_session.query(User).filter_by(username='******').first()) user_id = user.id # create a proxy group for user proxy_group = GoogleProxyGroup( id=proxy_group_id, user_id=user_id, ) db_session.add(proxy_group) # create a service account for client for user service_account = GoogleServiceAccount( google_unique_id=service_account_id, client_id=client_id, user_id=user_id, email=(client_id + '-' + str(user_id) + '@test.com')) db_session.add(user) db_session.add(service_account) db_session.commit() response = app_client.post(path, data=data) # check that the service account id was included in a # call to cloud_manager (cloud_manager.return_value.__enter__.return_value.get_access_key ).assert_called_with(service_account_id) assert response.status_code == 200
def load_google_specific_user_data(db_session, test_user_d): """Add Google-specific user data to Fence db.""" gpg = GoogleProxyGroup(id=userd_dict["gpg_id"], email=userd_dict["gpg_email"]) gsak = GoogleServiceAccountKey( id=userd_dict["gsak_id"], key_id=userd_dict["gsak_key_id"], service_account_id=userd_dict["gsa_id"], ) gsa = GoogleServiceAccount( id=userd_dict["gsa_id"], google_unique_id="d_gui", user_id=userd_dict["user_id"], google_project_id="d_gpid", email=userd_dict["gsa_email"], ) bkt = Bucket(id=userd_dict["bucket_id"]) gbag = GoogleBucketAccessGroup( id=userd_dict["gbag_id"], bucket_id=userd_dict["bucket_id"], email=userd_dict["gbag_email"], ) gpg_gbag = GoogleProxyGroupToGoogleBucketAccessGroup( id=userd_dict["gpg_to_gbag_id"], proxy_group_id=userd_dict["gpg_id"], access_group_id=userd_dict["gbag_id"], ) uga = UserGoogleAccount( id=userd_dict["uga_id"], email=userd_dict["uga_email"], user_id=userd_dict["user_id"], ) uga_pg = UserGoogleAccountToProxyGroup( user_google_account_id=userd_dict["uga_id"], proxy_group_id=userd_dict["gpg_id"]) db_session.add_all([gpg, gsak, gsa, bkt, gbag, gpg_gbag, uga, uga_pg]) user = (db_session.query(User).filter_by( username=userd_dict["user_username"]).first()) user.google_proxy_group_id = userd_dict["gpg_id"] db_session.commit()
def setup_test_data(db_session): cp = CloudProvider(name="test", endpoint="http://test.endpt") proxy_group_list = [ { "id": "group1", "email": "*****@*****.**" }, { "id": "group2", "email": "*****@*****.**" }, ] user_account_list = [ { "google_unique_id": "test_id1", "email": "*****@*****.**", "google_project_id": "test", }, { "google_unique_id": "test_id2", "email": "*****@*****.**", "google_project_id": "test", }, ] proxy_groups = [] for group in proxy_group_list: proxy_groups.append(GoogleProxyGroup(**group)) db_session.add(proxy_groups[-1]) user_service_accounts = [] for user in user_account_list: user_service_accounts.append(UserServiceAccount(**user)) db_session.add(user_service_accounts[-1]) db_session.commit() bucket1 = Bucket(name="bucket1", provider_id=cp.id) bucket2 = Bucket(name="bucket2", provider_id=cp.id) bucket3 = Bucket(name="bucket3", provider_id=cp.id) db_session.add(bucket1) db_session.add(bucket2) db_session.add(bucket3) db_session.commit() access_grp1 = GoogleBucketAccessGroup(bucket_id=bucket1.id, email="*****@*****.**") db_session.add(access_grp1) db_session.commit() db_session.add( GoogleProxyGroupToGoogleBucketAccessGroup( proxy_group_id=proxy_groups[0].id, access_group_id=access_grp1.id)) db_session.add( ServiceAccountToGoogleBucketAccessGroup( service_account_id=user_service_accounts[0].id, access_group_id=access_grp1.id, )) db_session.commit()
def test_google_delete_owned_access_token(app, client, oauth_client, cloud_manager, db_session): """ Test ``DELETE /credentials/google``. """ client_id = oauth_client["client_id"] service_account_key = "some_key_321" service_account_id = "123456789" proxy_group_id = "proxy_group_0" path = ("/credentials/google/" + service_account_key) def get_account_keys(*args, **kwargs): # Return the keys only if the correct account is given if args[0] == service_account_id: # Return two keys, first one is NOT the one we're # requesting to delete return [{ "name": "project/service_accounts/keys/over_9000" }, { "name": "project/service_accounts/keys/" + service_account_key }] else: return [] (cloud_manager.return_value.__enter__.return_value. get_service_account_keys_info.side_effect) = get_account_keys with app.test_client() as app_client: # set global client context flask.g.client_id = client_id # get test user info user = (db_session.query(User).filter_by(username="******").first()) user_id = user.id # create a proxy group for user proxy_group = GoogleProxyGroup( id=proxy_group_id, user_id=user_id, ) db_session.add(proxy_group) # create a service account for client for user service_account = GoogleServiceAccount( google_unique_id=service_account_id, client_id=client_id, user_id=user_id, email=(client_id + "-" + str(user_id) + "@test.com")) db_session.add(user) db_session.add(service_account) db_session.commit() response = app_client.delete(path, data={}) # check that the service account id was included in a call to # cloud_manager assert any([ str(mock_call) for mock_call in cloud_manager.mock_calls if service_account_id in str(mock_call) ]) assert response.status_code == 204 # check that we actually requested to delete the correct service key (cloud_manager.return_value.__enter__.return_value. delete_service_account_key).assert_called_with( service_account_id, service_account_key)
def _setup_google_access(db_session, access_1_expires=None, access_2_expires=None): """ Setup some testing data. Args: access_1_expires (str, optional): expiration for the Proxy Group -> Google Bucket Access Group for user 1, defaults to None access_2_expires (str, optional): expiration for the Proxy Group -> Google Bucket Access Group for user 2, defaults to None """ cloud_provider = CloudProvider( name="test_provider", endpoint="https://test.com", backend="test_backend", description="description", service="service", ) db_session.add(cloud_provider) db_session.add( UserServiceAccount( google_unique_id="test_id1", email="*****@*****.**", google_project_id="efewf444", )) db_session.add( UserServiceAccount( google_unique_id="test_id2", email="*****@*****.**", google_project_id="edfwf444", )) db_session.commit() bucket1 = Bucket(name="test_bucket1", provider_id=cloud_provider.id) db_session.add(bucket1) db_session.commit() gpg1 = GoogleProxyGroup(id=1, email="*****@*****.**") gpg2 = GoogleProxyGroup(id=2, email="*****@*****.**") db_session.add(gpg1) db_session.add(gpg2) db_session.commit() gbag1 = GoogleBucketAccessGroup( bucket_id=bucket1.id, email="*****@*****.**", privileges=["read-storage", "write-storage"], ) gbag2 = GoogleBucketAccessGroup( bucket_id=bucket1.id, email="*****@*****.**", privileges=["read-storage"], ) db_session.add(gbag1) db_session.add(gbag2) db_session.commit() db_session.add( GoogleProxyGroupToGoogleBucketAccessGroup(proxy_group_id=gpg1.id, access_group_id=gbag1.id, expires=access_1_expires)) db_session.add( GoogleProxyGroupToGoogleBucketAccessGroup(proxy_group_id=gpg2.id, access_group_id=gbag2.id, expires=access_2_expires)) db_session.commit() return {"google_proxy_group_ids": {"1": gpg1.id, "2": gpg2.id}}