lemur/lemur/tests/test_ldap.py

import pytest
from lemur.auth.ldap import *  # noqa
from mock import patch, MagicMock


class LdapPrincipalTester(LdapPrincipal):
    def __init__(self, args):
        super().__init__(args)
        self.ldap_server = "ldap://localhost"

    def bind_test(self):
        groups = [
            (
                "user",
                {
                    "memberOf": [
                        "CN=Lemur Access,OU=Groups,DC=example,DC=com".encode("utf-8"),
                        "CN=Pen Pushers,OU=Groups,DC=example,DC=com".encode("utf-8"),
                    ]
                },
            )
        ]
        self.ldap_client = MagicMock()
        self.ldap_client.search_s.return_value = groups
        self._bind()

    def authorize_test_groups_to_roles_admin(self):
        self.ldap_groups = "".join(
            [
                "CN=Pen Pushers,OU=Groups,DC=example,DC=com",
                "CN=Lemur Admins,OU=Groups,DC=example,DC=com",
                "CN=Lemur Read Only,OU=Groups,DC=example,DC=com",
            ]
        )
        self.ldap_required_group = None
        self.ldap_groups_to_roles = {
            "Lemur Admins": "admin",
            "Lemur Read Only": "read-only",
        }
        return self._authorize()

    def authorize_test_required_group(self, group):
        self.ldap_groups = "".join(
            [
                "CN=Lemur Access,OU=Groups,DC=example,DC=com",
                "CN=Pen Pushers,OU=Groups,DC=example,DC=com",
            ]
        )
        self.ldap_required_group = group
        return self._authorize()


@pytest.fixture()
def principal(session):
    args = {"username": "user", "password": "p4ssw0rd"}
    yield LdapPrincipalTester(args)


class TestLdapPrincipal:
    @patch("ldap.initialize")
    def test_bind(self, app, principal):
        self.test_ldap_user = principal
        self.test_ldap_user.bind_test()
        group = "Pen Pushers"
        assert group in self.test_ldap_user.ldap_groups
        assert self.test_ldap_user.ldap_principal == "user@example.com"

    def test_authorize_groups_to_roles_admin(self, app, principal):
        self.test_ldap_user = principal
        roles = self.test_ldap_user.authorize_test_groups_to_roles_admin()
        assert any(x.name == "admin" for x in roles)

    def test_authorize_required_group_missing(self, app, principal):
        self.test_ldap_user = principal
        roles = self.test_ldap_user.authorize_test_required_group("Not Allowed")
        assert not roles

    def test_authorize_required_group_access(self, session, principal):
        self.test_ldap_user = principal
        roles = self.test_ldap_user.authorize_test_required_group("Lemur Access")
        assert len(roles) >= 1
        assert any(x.name == "user@example.com" for x in roles)