def test_google_delete_invalid_access_token(app, client, oauth_client,
cloud_manager, db_session):
"""
Test ``DELETE /credentials/google``.
"""
client_id = oauth_client["client_id"]
service_account_key = "some_key_321"
service_account_id = "123456789"
proxy_group_id = "proxy_group_0"
path = ("/credentials/google/" + service_account_key + "/")
def get_account_keys(*args, **kwargs):
# Return the keys only if the correct account is given
if args[0] == service_account_id:
# Return two keys, NEITHER are the key we want to delete
return [{
"name": "project/service_accounts/keys/voyager"
}, {
"name": "project/service_accounts/keys/deep-space-nine"
}]
else:
return []
(cloud_manager.return_value.__enter__.return_value.
get_service_account_keys_info.side_effect) = get_account_keys
with app.test_client() as app_client:
# set global client context
flask.g.client_id = client_id
# get test user info
user = (db_session.query(User).filter_by(username="******").first())
user_id = user.id
# create a proxy group for user
proxy_group = GoogleProxyGroup(
id=proxy_group_id,
user_id=user_id,
)
db_session.add(proxy_group)
# create a service account for client for user
service_account = GoogleServiceAccount(
google_unique_id=service_account_id,
client_id=client_id,
user_id=user_id,
email=(client_id + "-" + str(user_id) + "@test.com"))
db_session.add(user)
db_session.add(service_account)
db_session.commit()
response = app_client.delete(path, data={})
# check that we didn't try to delete, since the key doesn't exist
assert (cloud_manager.return_value.__enter__.return_value.
delete_service_account_key).called is False
assert response.status_code == 404
def test_google_access_token_new_service_account(app, oauth_client, db_session,
cloud_manager):
"""
Test that ``POST /credentials/google`` creates a new service
account for the user if one doesn't exist.
"""
_populate_test_identity(db_session, name=IdentityProvider.itrust)
client_id = oauth_client['client_id']
new_service_account = {
'uniqueId': '987654321',
'email': '*****@*****.**'
}
proxy_group_id = 'proxy_group_0'
path = '/credentials/google/'
# return new service account
(cloud_manager.return_value.__enter__.return_value.
create_service_account_for_proxy_group.return_value) = new_service_account
with app.test_client() as app_client:
# set global client context
flask.g.client_id = client_id
service_accounts_before = (
db_session.query(GoogleServiceAccount).filter_by(
client_id=client_id)).count()
# get test user info
user = (db_session.query(User).filter_by(username='******').first())
user_id = user.id
# create a proxy group for user
proxy_group = GoogleProxyGroup(
id=proxy_group_id,
user_id=user_id,
)
db_session.add(user)
db_session.add(proxy_group)
db_session.commit()
response = app_client.post(path)
service_accounts_after = (
db_session.query(GoogleServiceAccount).filter_by(
client_id=client_id)).count()
# make sure we created a new service account for the user's proxy
# group and added it to the db
assert (cloud_manager.return_value.__enter__.return_value.
create_service_account_for_proxy_group).called
assert service_accounts_after == service_accounts_before + 1
assert response.status_code == 200
def test_google_attempt_delete_unowned_access_token(app, client, oauth_client,
cloud_manager, db_session):
"""
Test ``DELETE /credentials/google``.
"""
client_id = oauth_client["client_id"]
service_account_key = "some_key_321"
proxy_group_id = "proxy_group_0"
path = ("/credentials/google/" + service_account_key + "/")
with app.test_client() as app_client:
# set global client context
flask.g.client_id = client_id
# get test user info
user = (db_session.query(User).filter_by(username="******").first())
user_id = user.id
# create a proxy group for user
proxy_group = GoogleProxyGroup(
id=proxy_group_id,
user_id=user_id,
)
db_session.add(proxy_group)
# create a service account for A DIFFERENT CLIENT
client = Client(
client_id="NOT_THIS_GUY",
client_secret="a0987u23on192y",
name="NOT_THIS_GUY",
)
service_account = GoogleServiceAccount(
google_unique_id="123456789",
client_id="NOT_THIS_GUY",
user_id=user_id,
email=("NOT_THIS_GUY" + "-" + str(user_id) + "@test.com"))
db_session.add(user)
db_session.add(client)
db_session.add(service_account)
db_session.commit()
response = app_client.delete(path, data={})
# check that we didn't try to get key info or delete,
# since the current user/client doesn't have the key
assert (cloud_manager.return_value.__enter__.return_value.
get_service_account_keys_info).called is False
assert (cloud_manager.return_value.__enter__.return_value.
delete_service_account_key).called is False
assert response.status_code == 404
def test_google_create_access_token_post(app, oauth_client, cloud_manager,
db_session):
"""
Test ``POST /credentials/google`` gets a new access key.
"""
client_id = oauth_client['client_id']
service_account_id = '123456789'
proxy_group_id = 'proxy_group_0'
path = '/credentials/google/'
data = {}
with app.test_client() as app_client:
# set global client context
flask.g.client_id = client_id
# get test user info
user = (db_session.query(User).filter_by(username='******').first())
user_id = user.id
# create a proxy group for user
proxy_group = GoogleProxyGroup(
id=proxy_group_id,
user_id=user_id,
)
db_session.add(proxy_group)
# create a service account for client for user
service_account = GoogleServiceAccount(
google_unique_id=service_account_id,
client_id=client_id,
user_id=user_id,
email=(client_id + '-' + str(user_id) + '@test.com'))
db_session.add(user)
db_session.add(service_account)
db_session.commit()
response = app_client.post(path, data=data)
# check that the service account id was included in a
# call to cloud_manager
(cloud_manager.return_value.__enter__.return_value.get_access_key
).assert_called_with(service_account_id)
assert response.status_code == 200
def load_google_specific_user_data(db_session, test_user_d):
"""Add Google-specific user data to Fence db."""
gpg = GoogleProxyGroup(id=userd_dict["gpg_id"],
email=userd_dict["gpg_email"])
gsak = GoogleServiceAccountKey(
id=userd_dict["gsak_id"],
key_id=userd_dict["gsak_key_id"],
service_account_id=userd_dict["gsa_id"],
)
gsa = GoogleServiceAccount(
id=userd_dict["gsa_id"],
google_unique_id="d_gui",
user_id=userd_dict["user_id"],
google_project_id="d_gpid",
email=userd_dict["gsa_email"],
)
bkt = Bucket(id=userd_dict["bucket_id"])
gbag = GoogleBucketAccessGroup(
id=userd_dict["gbag_id"],
bucket_id=userd_dict["bucket_id"],
email=userd_dict["gbag_email"],
)
gpg_gbag = GoogleProxyGroupToGoogleBucketAccessGroup(
id=userd_dict["gpg_to_gbag_id"],
proxy_group_id=userd_dict["gpg_id"],
access_group_id=userd_dict["gbag_id"],
)
uga = UserGoogleAccount(
id=userd_dict["uga_id"],
email=userd_dict["uga_email"],
user_id=userd_dict["user_id"],
)
uga_pg = UserGoogleAccountToProxyGroup(
user_google_account_id=userd_dict["uga_id"],
proxy_group_id=userd_dict["gpg_id"])
db_session.add_all([gpg, gsak, gsa, bkt, gbag, gpg_gbag, uga, uga_pg])
user = (db_session.query(User).filter_by(
username=userd_dict["user_username"]).first())
user.google_proxy_group_id = userd_dict["gpg_id"]
db_session.commit()
def setup_test_data(db_session):
cp = CloudProvider(name="test", endpoint="http://test.endpt")
proxy_group_list = [
{
"id": "group1",
"email": "*****@*****.**"
},
{
"id": "group2",
"email": "*****@*****.**"
},
]
user_account_list = [
{
"google_unique_id": "test_id1",
"email": "*****@*****.**",
"google_project_id": "test",
},
{
"google_unique_id": "test_id2",
"email": "*****@*****.**",
"google_project_id": "test",
},
]
proxy_groups = []
for group in proxy_group_list:
proxy_groups.append(GoogleProxyGroup(**group))
db_session.add(proxy_groups[-1])
user_service_accounts = []
for user in user_account_list:
user_service_accounts.append(UserServiceAccount(**user))
db_session.add(user_service_accounts[-1])
db_session.commit()
bucket1 = Bucket(name="bucket1", provider_id=cp.id)
bucket2 = Bucket(name="bucket2", provider_id=cp.id)
bucket3 = Bucket(name="bucket3", provider_id=cp.id)
db_session.add(bucket1)
db_session.add(bucket2)
db_session.add(bucket3)
db_session.commit()
access_grp1 = GoogleBucketAccessGroup(bucket_id=bucket1.id,
email="*****@*****.**")
db_session.add(access_grp1)
db_session.commit()
db_session.add(
GoogleProxyGroupToGoogleBucketAccessGroup(
proxy_group_id=proxy_groups[0].id, access_group_id=access_grp1.id))
db_session.add(
ServiceAccountToGoogleBucketAccessGroup(
service_account_id=user_service_accounts[0].id,
access_group_id=access_grp1.id,
))
db_session.commit()
def test_google_delete_owned_access_token(app, client, oauth_client,
cloud_manager, db_session):
"""
Test ``DELETE /credentials/google``.
"""
client_id = oauth_client["client_id"]
service_account_key = "some_key_321"
service_account_id = "123456789"
proxy_group_id = "proxy_group_0"
path = ("/credentials/google/" + service_account_key)
def get_account_keys(*args, **kwargs):
# Return the keys only if the correct account is given
if args[0] == service_account_id:
# Return two keys, first one is NOT the one we're
# requesting to delete
return [{
"name": "project/service_accounts/keys/over_9000"
}, {
"name":
"project/service_accounts/keys/" + service_account_key
}]
else:
return []
(cloud_manager.return_value.__enter__.return_value.
get_service_account_keys_info.side_effect) = get_account_keys
with app.test_client() as app_client:
# set global client context
flask.g.client_id = client_id
# get test user info
user = (db_session.query(User).filter_by(username="******").first())
user_id = user.id
# create a proxy group for user
proxy_group = GoogleProxyGroup(
id=proxy_group_id,
user_id=user_id,
)
db_session.add(proxy_group)
# create a service account for client for user
service_account = GoogleServiceAccount(
google_unique_id=service_account_id,
client_id=client_id,
user_id=user_id,
email=(client_id + "-" + str(user_id) + "@test.com"))
db_session.add(user)
db_session.add(service_account)
db_session.commit()
response = app_client.delete(path, data={})
# check that the service account id was included in a call to
# cloud_manager
assert any([
str(mock_call) for mock_call in cloud_manager.mock_calls
if service_account_id in str(mock_call)
])
assert response.status_code == 204
# check that we actually requested to delete the correct service key
(cloud_manager.return_value.__enter__.return_value.
delete_service_account_key).assert_called_with(
service_account_id, service_account_key)
def _setup_google_access(db_session,
access_1_expires=None,
access_2_expires=None):
"""
Setup some testing data.
Args:
access_1_expires (str, optional): expiration for the Proxy Group ->
Google Bucket Access Group for user 1, defaults to None
access_2_expires (str, optional): expiration for the Proxy Group ->
Google Bucket Access Group for user 2, defaults to None
"""
cloud_provider = CloudProvider(
name="test_provider",
endpoint="https://test.com",
backend="test_backend",
description="description",
service="service",
)
db_session.add(cloud_provider)
db_session.add(
UserServiceAccount(
google_unique_id="test_id1",
email="*****@*****.**",
google_project_id="efewf444",
))
db_session.add(
UserServiceAccount(
google_unique_id="test_id2",
email="*****@*****.**",
google_project_id="edfwf444",
))
db_session.commit()
bucket1 = Bucket(name="test_bucket1", provider_id=cloud_provider.id)
db_session.add(bucket1)
db_session.commit()
gpg1 = GoogleProxyGroup(id=1, email="*****@*****.**")
gpg2 = GoogleProxyGroup(id=2, email="*****@*****.**")
db_session.add(gpg1)
db_session.add(gpg2)
db_session.commit()
gbag1 = GoogleBucketAccessGroup(
bucket_id=bucket1.id,
email="*****@*****.**",
privileges=["read-storage", "write-storage"],
)
gbag2 = GoogleBucketAccessGroup(
bucket_id=bucket1.id,
email="*****@*****.**",
privileges=["read-storage"],
)
db_session.add(gbag1)
db_session.add(gbag2)
db_session.commit()
db_session.add(
GoogleProxyGroupToGoogleBucketAccessGroup(proxy_group_id=gpg1.id,
access_group_id=gbag1.id,
expires=access_1_expires))
db_session.add(
GoogleProxyGroupToGoogleBucketAccessGroup(proxy_group_id=gpg2.id,
access_group_id=gbag2.id,
expires=access_2_expires))
db_session.commit()
return {"google_proxy_group_ids": {"1": gpg1.id, "2": gpg2.id}}