示例#1
0
    def _update_service_account_permissions(self, sa):
        """
        Update the given service account's permissions.

        WARNING: NO AUTHORIZATION CHECK DONE HERE. This will blindly update
                 given service account.

        Args:
            sa (
                fence.resources.google.service_account.GoogleServiceAccountRegistration
            ): the service account object with its email, project_access, a google project,
               and optionally a user who is attempting to modify/add
        """
        try:
            patch_user_service_account(sa.google_project_id, sa.email,
                                       sa.project_access)
        except CirrusNotFound as exc:
            return (
                "Can not update the service accout {}. Detail {}".format(
                    sa.email, exc),
                404,
            )
        except GoogleAPIError as exc:
            return (
                "Can not update the service accout {}. Detail {}".format(
                    sa.email, exc),
                400,
            )
        except Exception:
            return ("Can not update the service account {}".format(sa.email),
                    500)

        return ("Successfully update service account  {}".format(sa.email),
                200)
示例#2
0
def test_update_user_service_account_success3(cloud_manager, db_session,
                                              setup_data):
    """
    [email protected] has access to test_auth_1 and test_auth_2 already
    Test that there is no add and delete operations when client try to update
    with projects already granted access
    """
    service_account = (db_session.query(UserServiceAccount).filter_by(
        email="*****@*****.**").first())
    patch_user_service_account("test", "*****@*****.**",
                               ["test_auth_1", "test_auth_2"])

    assert not (cloud_manager.return_value.__enter__.return_value.
                add_member_to_group.called)

    assert not (cloud_manager.return_value.__enter__.return_value.
                remove_member_from_group.called)

    project_ids1 = {
        project.id
        for project in (db_session.query(Project).filter(
            or_(Project.auth_id == "test_auth_1", Project.auth_id ==
                "test_auth_2")).all())
    }

    project_ids2 = {
        access_privilege.project_id
        for access_privilege in (
            db_session.query(ServiceAccountAccessPrivilege).filter_by(
                service_account_id=service_account.id).all())
    }
    assert project_ids1 == project_ids2
示例#3
0
def test_update_user_service_account_success3(cloud_manager, db_session,
                                              setup_data):
    """
    [email protected] has access to test_auth_1 and test_auth_2 already
    Test that there are no delete operations when client try to update
    with projects already granted access
    (This test used to also check that no Google-side add operations occurred
    given the same situation, but this is no longer expected as we are now
    adding SA to every project/GBAG every time--see #670)
    """
    service_account = (db_session.query(UserServiceAccount).filter_by(
        email="*****@*****.**").first())
    patch_user_service_account("test", "*****@*****.**",
                               ["test_auth_1", "test_auth_2"])

    assert not (cloud_manager.return_value.__enter__.return_value.
                remove_member_from_group.called)

    project_ids1 = {
        project.id
        for project in (db_session.query(Project).filter(
            or_(Project.auth_id == "test_auth_1", Project.auth_id ==
                "test_auth_2")).all())
    }

    project_ids2 = {
        access_privilege.project_id
        for access_privilege in (
            db_session.query(ServiceAccountAccessPrivilege).filter_by(
                service_account_id=service_account.id).all())
    }
    assert project_ids1 == project_ids2
示例#4
0
def test_update_user_service_account_success2(cloud_manager, db_session, setup_data):
    """
    [email protected] has access to test_auth_1 and test_auth_2 already
    Test that successfully update service account access so that
    the 'test_auth1, test_auth2' will be removed from access project list
    while 'test_auth3' is added to the list
    """
    (
        cloud_manager.return_value.__enter__.return_value.add_member_to_group.return_value
    ) = {
        "kind": "admin#directory#member",
        "etag": "test_etag",
        "id": "test_id",
        "email": "test@g,ail.com",
        "role": "test_role",
        "type": "test_type",
    }
    (
        cloud_manager.return_value.__enter__.return_value.remove_member_from_group.return_value
    ) = {}

    service_account = (
        db_session.query(UserServiceAccount).filter_by(email="*****@*****.**").first()
    )

    accessed_projects = (
        db_session.query(ServiceAccountAccessPrivilege)
        .filter_by(service_account_id=service_account.id)
        .all()
    )

    accessed_bucket_grps = (
        db_session.query(ServiceAccountToGoogleBucketAccessGroup)
        .filter_by(service_account_id=service_account.id)
        .all()
    )

    assert len(accessed_projects) == 2
    assert len(accessed_bucket_grps) == 2
    patch_user_service_account("test", "*****@*****.**", ["test_auth_3"])

    project = db_session.query(Project).filter_by(auth_id="test_auth_3").first()
    access_privileges = (
        db_session.query(ServiceAccountAccessPrivilege)
        .filter_by(service_account_id=service_account.id)
        .all()
    )
    assert len(access_privileges) == 1
    assert access_privileges[0].project_id == project.id

    accessed_bucket_grps = (
        db_session.query(ServiceAccountToGoogleBucketAccessGroup)
        .filter_by(service_account_id=service_account.id)
        .all()
    )
    assert len(accessed_bucket_grps) == 1
示例#5
0
def test_update_user_service_account_success(cloud_manager, db_session, setup_data):
    """
    [email protected] has access to test_auth_1 and test_auth_2 already
    Test that successfully update service account access so that
    the 'test_auth2' will be removed from access project list

    """
    (
        cloud_manager.return_value.__enter__.return_value.add_member_to_group.return_value
    ) = {"email": "*****@*****.**"}
    (
        cloud_manager.return_value.__enter__.return_value.remove_member_from_group.return_value
    ) = {}

    service_account = (
        db_session.query(UserServiceAccount).filter_by(email="*****@*****.**").first()
    )

    accessed_projects = (
        db_session.query(ServiceAccountAccessPrivilege)
        .filter_by(service_account_id=service_account.id)
        .all()
    )

    accessed_bucket_grps = (
        db_session.query(ServiceAccountToGoogleBucketAccessGroup)
        .filter_by(service_account_id=service_account.id)
        .all()
    )

    assert len(accessed_projects) == 2
    assert len(accessed_bucket_grps) == 2
    patch_user_service_account("test", "*****@*****.**", ["test_auth_1"])

    project = db_session.query(Project).filter_by(auth_id="test_auth_1").first()

    project_ids = [
        item.project_id
        for item in (
            db_session.query(ServiceAccountAccessPrivilege)
            .filter_by(service_account_id=service_account.id)
            .all()
        )
    ]
    assert len(project_ids) == 1
    assert project_ids[0] == project.id

    accessed_bucket_grps = (
        db_session.query(ServiceAccountToGoogleBucketAccessGroup)
        .filter_by(service_account_id=service_account.id)
        .all()
    )
    assert len(accessed_bucket_grps) == 1
示例#6
0
def test_update_service_account_fail_no_project(cloud_manager, db_session,
                                                setup_data):
    """
    Test that raises an exception since a provided project does not exist
    """
    with pytest.raises(fence.errors.NotFound):
        assert patch_user_service_account("google_test", "*****@*****.**",
                                          ["no_project_auth"])
示例#7
0
def test_update_user_service_account_raise_NotFound_exc(
        cloud_manager, db_session, setup_data):
    """
    Test that raises an exception since the service account does not exist
    """
    with pytest.raises(fence.errors.NotFound):
        assert patch_user_service_account("google_test",
                                          "non_existed_service_account",
                                          ["test_auth_1"])
示例#8
0
def test_update_user_service_account_raise_GoogleAPI_exc(
        cloud_manager, db_session, setup_data):
    """
    Test that raises an exception due to Google API errors
    during removing members from google groups
    """
    (cloud_manager.return_value.__enter__.return_value.
     remove_member_from_group.side_effect) = CirrusError("exception")

    with pytest.raises(CirrusError):
        assert patch_user_service_account("test", "*****@*****.**",
                                          ["test_auth_2"])
示例#9
0
def test_update_user_service_account_raise_GoogleAPI_exc4(
    cloud_manager, db_session, setup_data
):
    """
    Test that raises an exception due to Google API errors
    during deleting members to google groups
    """
    (
        cloud_manager.return_value.__enter__.return_value.delete_member_from_group.return_value
    ) = {"a": "b"}

    with pytest.raises(CirrusError):
        assert patch_user_service_account("test", "*****@*****.**", ["test_auth_1"])
示例#10
0
def test_update_user_service_account_raise_GoogleAPI_exc2(
        cloud_manager, db_session, setup_data):
    """
    Test that raises an exception due to Google API errors
    during adding members to google groups
    """
    (cloud_manager.return_value.__enter__.return_value.add_member_to_group.
     side_effect) = Exception("exception")

    with pytest.raises(Exception):
        assert patch_user_service_account(
            "test", "*****@*****.**",
            ["test_auth_1", "test_auth_2", "test_auth_3"])