65 lines
2.5 KiB
Python
65 lines
2.5 KiB
Python
import pytest
|
|
from lemur.auth.ldap import * # noqa
|
|
from mock import patch, MagicMock
|
|
|
|
|
|
class LdapPrincipalTester(LdapPrincipal):
|
|
|
|
def __init__(self, args):
|
|
super().__init__(args)
|
|
self.ldap_server = 'ldap://localhost'
|
|
|
|
def bind_test(self):
|
|
groups = [('user', {'memberOf': ['CN=Lemur Access,OU=Groups,DC=example,DC=com'.encode('utf-8'),
|
|
'CN=Pen Pushers,OU=Groups,DC=example,DC=com'.encode('utf-8')]})]
|
|
self.ldap_client = MagicMock()
|
|
self.ldap_client.search_s.return_value = groups
|
|
self._bind()
|
|
|
|
def authorize_test_groups_to_roles_admin(self):
|
|
self.ldap_groups = ''.join(['CN=Pen Pushers,OU=Groups,DC=example,DC=com',
|
|
'CN=Lemur Admins,OU=Groups,DC=example,DC=com',
|
|
'CN=Lemur Read Only,OU=Groups,DC=example,DC=com'])
|
|
self.ldap_required_group = None
|
|
self.ldap_groups_to_roles = {'Lemur Admins': 'admin', 'Lemur Read Only': 'read-only'}
|
|
return self._authorize()
|
|
|
|
def authorize_test_required_group(self, group):
|
|
self.ldap_groups = ''.join(['CN=Lemur Access,OU=Groups,DC=example,DC=com',
|
|
'CN=Pen Pushers,OU=Groups,DC=example,DC=com'])
|
|
self.ldap_required_group = group
|
|
return self._authorize()
|
|
|
|
|
|
@pytest.fixture()
|
|
def principal(session):
|
|
args = {'username': 'user', 'password': 'p4ssw0rd'}
|
|
yield LdapPrincipalTester(args)
|
|
|
|
|
|
class TestLdapPrincipal:
|
|
|
|
@patch('ldap.initialize')
|
|
def test_bind(self, app, principal):
|
|
self.test_ldap_user = principal
|
|
self.test_ldap_user.bind_test()
|
|
group = 'Pen Pushers'
|
|
assert group in self.test_ldap_user.ldap_groups
|
|
assert self.test_ldap_user.ldap_principal == 'user@example.com'
|
|
|
|
def test_authorize_groups_to_roles_admin(self, app, principal):
|
|
self.test_ldap_user = principal
|
|
roles = self.test_ldap_user.authorize_test_groups_to_roles_admin()
|
|
assert any(x.name == "admin" for x in roles)
|
|
|
|
def test_authorize_required_group_missing(self, app, principal):
|
|
self.test_ldap_user = principal
|
|
roles = self.test_ldap_user.authorize_test_required_group('Not Allowed')
|
|
assert not roles
|
|
|
|
def test_authorize_required_group_access(self, session, principal):
|
|
self.test_ldap_user = principal
|
|
roles = self.test_ldap_user.authorize_test_required_group('Lemur Access')
|
|
assert len(roles) >= 1
|
|
assert any(x.name == "user@example.com" for x in roles)
|