def test_permission_grant_denied(tmpdir: LocalPath, setup: SetupTest,
browser: Chrome) -> None:
with setup.transaction():
setup.add_user_to_group("*****@*****.**", "some-group")
setup.add_user_to_group("*****@*****.**", "other-group")
setup.grant_permission_to_group("some-permission", "foo", "some-group")
setup.create_service_account("*****@*****.**", "some-group")
# Member of the owning team will get denied when trying to grant a perm the team doesn't have
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(
url(frontend_url,
"/groups/some-group/service/[email protected]/grant"))
page = ServiceAccountGrantPermissionPage(browser)
page.select_permission("some-permission (foo)")
page.set_argument("bar")
page.submit()
assert page.has_alert("Permission denied")
# Unrelated user can click the Add Permission button but will get a 403
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(
url(frontend_url,
"/groups/some-group/service/[email protected]"))
view_page = ServiceAccountViewPage(browser)
assert len(view_page.permission_rows) == 0
view_page.click_add_permission_button()
forbidden_page = ErrorPage(browser)
assert forbidden_page.heading == "Error"
assert forbidden_page.subheading == "403 Forbidden"
def test_permission_grant_revoke(tmpdir, setup, browser):
# type: (LocalPath, SetupTest, Chrome) -> None
with setup.transaction():
setup.add_user_to_group("*****@*****.**", "some-group")
setup.grant_permission_to_group("some-permission", "foo", "some-group")
setup.create_service_account("*****@*****.**", "some-group")
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(
url(frontend_url,
"/groups/some-group/service/[email protected]"))
page = ServiceAccountViewPage(browser)
assert page.owner == "some-group"
assert page.permission_rows == []
page.click_add_permission_button()
grant_page = ServiceAccountGrantPermissionPage(browser)
grant_page.select_permission("some-permission (foo)")
grant_page.set_argument("foo")
grant_page.submit()
assert page.owner == "some-group"
permission_rows = page.permission_rows
assert len(permission_rows) == 1
permission = permission_rows[0]
assert permission.permission == "some-permission"
assert permission.argument == "foo"
permission.click_revoke_button()
permission_revoke_modal = page.get_revoke_permission_modal()
permission_revoke_modal.confirm()
assert page.owner == "some-group"
assert page.permission_rows == []
def test_permission_grant_revoke(tmpdir, setup, browser):
# type: (LocalPath, SetupTest, Chrome) -> None
with setup.transaction():
setup.add_user_to_group("*****@*****.**", "some-group")
setup.grant_permission_to_group("some-permission", "foo", "some-group")
setup.create_service_account("*****@*****.**", "some-group")
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(url(frontend_url, "/groups/some-group/service/[email protected]"))
page = ServiceAccountViewPage(browser)
assert page.permission_rows == []
page.click_add_permission_button()
grant_page = ServiceAccountGrantPermissionPage(browser)
grant_page.select_permission("some-permission (foo)")
grant_page.set_argument("foo")
grant_page.submit()
page = ServiceAccountViewPage(browser)
permission_rows = page.permission_rows
assert len(permission_rows) == 1
permission = permission_rows[0]
assert permission.permission == "some-permission"
assert permission.argument == "foo"
permission.click_revoke_button()
permission_revoke_modal = page.get_revoke_permission_modal()
permission_revoke_modal.confirm()
assert page.permission_rows == []
def test_permission_grant(tmpdir: LocalPath, setup: SetupTest,
browser: Chrome) -> None:
with setup.transaction():
setup.add_user_to_group("*****@*****.**", "some-group")
setup.add_user_to_group("*****@*****.**", "other-group")
setup.add_user_to_group("*****@*****.**", "permission-admins")
setup.grant_permission_to_group("some-permission", "foo", "some-group")
setup.grant_permission_to_group("grouper.permission.grant",
"some-permission/bar", "other-group")
setup.grant_permission_to_group(PERMISSION_ADMIN, "",
"permission-admins")
setup.create_service_account("*****@*****.**", "some-group")
# Member of the owning group should be able to delegate perms down from the owning group
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(
url(frontend_url,
"/groups/some-group/service/[email protected]"))
page = ServiceAccountViewPage(browser)
assert page.permission_rows == []
page.click_add_permission_button()
grant_page = ServiceAccountGrantPermissionPage(browser)
grant_page.select_permission("some-permission (foo)")
grant_page.set_argument("foo")
grant_page.submit()
permission_rows = page.permission_rows
assert len(permission_rows) == 1
permission = permission_rows[0]
assert permission.permission == "some-permission"
assert permission.argument == "foo"
# Unrelated user can grant perms for which they have the appropriate grouper.permission.grant
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(
url(frontend_url,
"/groups/some-group/service/[email protected]"))
page = ServiceAccountViewPage(browser)
assert len(page.permission_rows) == 1
page.click_add_permission_button()
grant_page = ServiceAccountGrantPermissionPage(browser)
grant_page.select_permission("some-permission (bar)")
grant_page.set_argument("bar")
grant_page.submit()
permission_rows = page.permission_rows
assert len(permission_rows) == 2
permission = permission_rows[1]
assert permission.permission == "some-permission"
assert permission.argument == "bar"
# Permission admin can grant any permission with any argument to any service account
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(
url(frontend_url,
"/groups/some-group/service/[email protected]"))
page = ServiceAccountViewPage(browser)
assert len(page.permission_rows) == 2
page.click_add_permission_button()
grant_page = ServiceAccountGrantPermissionPage(browser)
grant_page.select_permission("some-permission (*)")
grant_page.set_argument("weewoo")
grant_page.submit()
permission_rows = page.permission_rows
assert len(permission_rows) == 3
permission = permission_rows[2]
assert permission.permission == "some-permission"
assert permission.argument == "weewoo"