lemur/lemur/tests/test_ldap.py

import pytest
from lemur.auth.ldap import *  # noqa
from mock import patch, MagicMock


class LdapPrincipalTester(LdapPrincipal):
    def __init__(self, args):
        super().__init__(args)
        self.ldap_server = "ldap://localhost"

    def bind_test(self):
        groups = [
            (
                "user",
                {
                    "memberOf": [
                        "CN=Lemur Access,OU=Groups,DC=example,DC=com".encode("utf-8"),
                        "CN=Pen Pushers,OU=Groups,DC=example,DC=com".encode("utf-8"),
                    ]
                },
            )
        ]
        self.ldap_client = MagicMock()
        self.ldap_client.search_s.return_value = groups
        self._bind()

    def authorize_test_groups_to_roles_admin(self):
        self.ldap_groups = "".join(
            [
                "CN=Pen Pushers,OU=Groups,DC=example,DC=com",
                "CN=Lemur Admins,OU=Groups,DC=example,DC=com",
                "CN=Lemur Read Only,OU=Groups,DC=example,DC=com",
            ]
        )
        self.ldap_required_group = None
        self.ldap_groups_to_roles = {
            "Lemur Admins": "admin",
            "Lemur Read Only": "read-only",
        }
        return self._authorize()

    def authorize_test_required_group(self, group):
        self.ldap_groups = "".join(
            [
                "CN=Lemur Access,OU=Groups,DC=example,DC=com",
                "CN=Pen Pushers,OU=Groups,DC=example,DC=com",
            ]
        )
        self.ldap_required_group = group
        return self._authorize()


@pytest.fixture()
def principal(session):
    args = {"username": "user", "password": "p4ssw0rd"}
    yield LdapPrincipalTester(args)


class TestLdapPrincipal:
    @patch("ldap.initialize")
    def test_bind(self, app, principal):
        self.test_ldap_user = principal
        self.test_ldap_user.bind_test()
        group = "Pen Pushers"
        assert group in self.test_ldap_user.ldap_groups
        assert self.test_ldap_user.ldap_principal == "user@example.com"

    def test_authorize_groups_to_roles_admin(self, app, principal):
        self.test_ldap_user = principal
        roles = self.test_ldap_user.authorize_test_groups_to_roles_admin()
        assert any(x.name == "admin" for x in roles)

    def test_authorize_required_group_missing(self, app, principal):
        self.test_ldap_user = principal
        roles = self.test_ldap_user.authorize_test_required_group("Not Allowed")
        assert not roles

    def test_authorize_required_group_access(self, session, principal):
        self.test_ldap_user = principal
        roles = self.test_ldap_user.authorize_test_required_group("Lemur Access")
        assert len(roles) >= 1
        assert any(x.name == "user@example.com" for x in roles)
basic ldap support (#842) 2017-09-04 05:41:43 +02:00			`import pytest`
Black lint all the things 2019-05-16 16:57:02 +02:00			`from lemur.auth.ldap import * # noqa`
basic ldap support (#842) 2017-09-04 05:41:43 +02:00			`from mock import patch, MagicMock`


			`class LdapPrincipalTester(LdapPrincipal):`
			`def __init__(self, args):`
			`super().__init__(args)`
Black lint all the things 2019-05-16 16:57:02 +02:00			`self.ldap_server = "ldap://localhost"`
basic ldap support (#842) 2017-09-04 05:41:43 +02:00
			`def bind_test(self):`
Black lint all the things 2019-05-16 16:57:02 +02:00			`groups = [`
			`(`
			`"user",`
			`{`
			`"memberOf": [`
			`"CN=Lemur Access,OU=Groups,DC=example,DC=com".encode("utf-8"),`
			`"CN=Pen Pushers,OU=Groups,DC=example,DC=com".encode("utf-8"),`
			`]`
			`},`
			`)`
			`]`
basic ldap support (#842) 2017-09-04 05:41:43 +02:00			`self.ldap_client = MagicMock()`
			`self.ldap_client.search_s.return_value = groups`
			`self._bind()`

			`def authorize_test_groups_to_roles_admin(self):`
Black lint all the things 2019-05-16 16:57:02 +02:00			`self.ldap_groups = "".join(`
			`[`
			`"CN=Pen Pushers,OU=Groups,DC=example,DC=com",`
			`"CN=Lemur Admins,OU=Groups,DC=example,DC=com",`
			`"CN=Lemur Read Only,OU=Groups,DC=example,DC=com",`
			`]`
			`)`
basic ldap support (#842) 2017-09-04 05:41:43 +02:00			`self.ldap_required_group = None`
Black lint all the things 2019-05-16 16:57:02 +02:00			`self.ldap_groups_to_roles = {`
			`"Lemur Admins": "admin",`
			`"Lemur Read Only": "read-only",`
			`}`
basic ldap support (#842) 2017-09-04 05:41:43 +02:00			`return self._authorize()`

			`def authorize_test_required_group(self, group):`
Black lint all the things 2019-05-16 16:57:02 +02:00			`self.ldap_groups = "".join(`
			`[`
			`"CN=Lemur Access,OU=Groups,DC=example,DC=com",`
			`"CN=Pen Pushers,OU=Groups,DC=example,DC=com",`
			`]`
			`)`
basic ldap support (#842) 2017-09-04 05:41:43 +02:00			`self.ldap_required_group = group`
			`return self._authorize()`


			`@pytest.fixture()`
			`def principal(session):`
Black lint all the things 2019-05-16 16:57:02 +02:00			`args = {"username": "user", "password": "p4ssw0rd"}`
basic ldap support (#842) 2017-09-04 05:41:43 +02:00			`yield LdapPrincipalTester(args)`


			`class TestLdapPrincipal:`
Black lint all the things 2019-05-16 16:57:02 +02:00			`@patch("ldap.initialize")`
basic ldap support (#842) 2017-09-04 05:41:43 +02:00			`def test_bind(self, app, principal):`
			`self.test_ldap_user = principal`
			`self.test_ldap_user.bind_test()`
Black lint all the things 2019-05-16 16:57:02 +02:00			`group = "Pen Pushers"`
basic ldap support (#842) 2017-09-04 05:41:43 +02:00			`assert group in self.test_ldap_user.ldap_groups`
Black lint all the things 2019-05-16 16:57:02 +02:00			`assert self.test_ldap_user.ldap_principal == "user@example.com"`
basic ldap support (#842) 2017-09-04 05:41:43 +02:00
			`def test_authorize_groups_to_roles_admin(self, app, principal):`
			`self.test_ldap_user = principal`
			`roles = self.test_ldap_user.authorize_test_groups_to_roles_admin()`
			`assert any(x.name == "admin" for x in roles)`

			`def test_authorize_required_group_missing(self, app, principal):`
			`self.test_ldap_user = principal`
Black lint all the things 2019-05-16 16:57:02 +02:00			`roles = self.test_ldap_user.authorize_test_required_group("Not Allowed")`
basic ldap support (#842) 2017-09-04 05:41:43 +02:00			`assert not roles`

			`def test_authorize_required_group_access(self, session, principal):`
			`self.test_ldap_user = principal`
Black lint all the things 2019-05-16 16:57:02 +02:00			`roles = self.test_ldap_user.authorize_test_required_group("Lemur Access")`
basic ldap support (#842) 2017-09-04 05:41:43 +02:00			`assert len(roles) >= 1`
			`assert any(x.name == "user@example.com" for x in roles)`