From bbd29148244bcf8898a6842c49423688004e3c46 Mon Sep 17 00:00:00 2001 From: Philip Kalinsky Date: Thu, 20 Feb 2020 13:51:38 -0500 Subject: [PATCH 01/13] azure disable user call --- atst/domain/csp/cloud/azure_cloud_provider.py | 35 ++++++++++++++++ atst/domain/csp/cloud/mock_cloud_provider.py | 2 +- tests/domain/cloud/test_azure_csp.py | 42 +++++++++++++++++++ 3 files changed, 78 insertions(+), 1 deletion(-) diff --git a/atst/domain/csp/cloud/azure_cloud_provider.py b/atst/domain/csp/cloud/azure_cloud_provider.py index 39c2e83a..5a42b8a0 100644 --- a/atst/domain/csp/cloud/azure_cloud_provider.py +++ b/atst/domain/csp/cloud/azure_cloud_provider.py @@ -311,6 +311,41 @@ class AzureCloudProvider(CloudProviderInterface): management_group_id=management_group_id, ) + def disable_user(self, tenant_id, cloud_id): + sp_token = self._get_tenant_principal_token(tenant_id) + if sp_token is None: + raise AuthenticationException("Could not resolve token in disable user") + headers = { + "Authorization": f"Bearer {sp_token}", + } + + try: + result = self.sdk.requests.delete( + f"{self.sdk.cloud.endpoints.resource_manager}providers/Microsoft.Authorization/roleAssignments/{cloud_id}?api-version=2015-07-01", + headers=headers, + timeout=30, + ) + result.raise_for_status() + return result.json() + + except self.sdk.requests.exceptions.ConnectionError: + app.logger.error( + f"Could not disable user. Connection Error", exc_info=1, + ) + raise ConnectionException("connection error azure disable user") + except self.sdk.requests.exceptions.Timeout: + app.logger.error( + f"Could not disable user. Request timed out.", exc_info=1, + ) + raise ConnectionException("timout error azure disable user") + except self.sdk.requests.exceptions.HTTPError as exc: + app.logger.error( + result.status_code, "azure application error disable user", exc_info=1, + ) + raise UnknownServerException( + result.status_code, f"azure application error disable user. {str(exc)}", + ) + def create_tenant(self, payload: TenantCSPPayload): sp_token = self._get_root_provisioning_token() if sp_token is None: diff --git a/atst/domain/csp/cloud/mock_cloud_provider.py b/atst/domain/csp/cloud/mock_cloud_provider.py index a34f40d5..87f78b3b 100644 --- a/atst/domain/csp/cloud/mock_cloud_provider.py +++ b/atst/domain/csp/cloud/mock_cloud_provider.py @@ -417,7 +417,7 @@ class MockCloudProvider(CloudProviderInterface): self._maybe_raise(self.UNAUTHORIZED_RATE, self.AUTHORIZATION_EXCEPTION) return self._id() - def disable_user(self, auth_credentials, csp_user_id): + def disable_user(self, tenant_id, cloud_id): self._authorize(auth_credentials) self._maybe_raise(self.NETWORK_FAILURE_PCT, self.NETWORK_EXCEPTION) self._maybe_raise(self.SERVER_FAILURE_PCT, self.SERVER_EXCEPTION) diff --git a/tests/domain/cloud/test_azure_csp.py b/tests/domain/cloud/test_azure_csp.py index 5deddc63..049b291b 100644 --- a/tests/domain/cloud/test_azure_csp.py +++ b/tests/domain/cloud/test_azure_csp.py @@ -206,6 +206,48 @@ def test_create_policy_definition_succeeds(mock_azure: AzureCloudProvider): ) +def test_disable_user(mock_azure: AzureCloudProvider): + mock_result = Mock() + mock_result.json.return_value = { + "properties": { + "roleDefinitionId": "/subscriptions/subId/providers/Microsoft.Authorization/roleDefinitions/roledefinitionId", + "principalId": "Pid", + "scope": "/subscriptions/subId/resourcegroups/rgname", + }, + "id": "/subscriptions/subId/resourcegroups/rgname/providers/Microsoft.Authorization/roleAssignments/roleassignmentId", + "type": "Microsoft.Authorization/roleAssignments", + "name": "roleassignmentId", + } + + mock_result.status_code = 200 + mock_http_error_resp = mock_requests_response( + status=500, + raise_for_status=mock_azure.sdk.requests.exceptions.HTTPError( + "500 Server Error" + ), + ) + mock_azure.sdk.requests.delete.side_effect = [ + mock_azure.sdk.requests.exceptions.ConnectionError, + mock_azure.sdk.requests.exceptions.Timeout, + mock_http_error_resp, + mock_result, + ] + mock_azure = mock_get_secret(mock_azure) + + tenant_id = "60ff9d34-82bf-4f21-b565-308ef0533435" + cloud_id = "roleassignmentId" + + with pytest.raises(ConnectionException): + mock_azure.disable_user(tenant_id, cloud_id) + with pytest.raises(ConnectionException): + mock_azure.disable_user(tenant_id, cloud_id) + with pytest.raises(UnknownServerException, match=r".*500 Server Error.*"): + mock_azure.disable_user(tenant_id, cloud_id) + + result = mock_azure.disable_user(tenant_id, cloud_id) + assert result.get("name") == cloud_id + + def test_create_tenant(mock_azure: AzureCloudProvider): mock_result = Mock() mock_result.json.return_value = { From 08ca093eda1d14734f9348ebe680330cb0aed3fb Mon Sep 17 00:00:00 2001 From: Philip Kalinsky Date: Thu, 20 Feb 2020 14:22:05 -0500 Subject: [PATCH 02/13] azure disable_user update url, assignment id --- atst/domain/csp/cloud/azure_cloud_provider.py | 2 +- tests/domain/cloud/test_azure_csp.py | 21 +++++++++++-------- 2 files changed, 13 insertions(+), 10 deletions(-) diff --git a/atst/domain/csp/cloud/azure_cloud_provider.py b/atst/domain/csp/cloud/azure_cloud_provider.py index 5a42b8a0..ba799fe4 100644 --- a/atst/domain/csp/cloud/azure_cloud_provider.py +++ b/atst/domain/csp/cloud/azure_cloud_provider.py @@ -321,7 +321,7 @@ class AzureCloudProvider(CloudProviderInterface): try: result = self.sdk.requests.delete( - f"{self.sdk.cloud.endpoints.resource_manager}providers/Microsoft.Authorization/roleAssignments/{cloud_id}?api-version=2015-07-01", + f"{self.sdk.cloud.endpoints.resource_manager}/{cloud_id}?api-version=2015-07-01", headers=headers, timeout=30, ) diff --git a/tests/domain/cloud/test_azure_csp.py b/tests/domain/cloud/test_azure_csp.py index 049b291b..3592f2d4 100644 --- a/tests/domain/cloud/test_azure_csp.py +++ b/tests/domain/cloud/test_azure_csp.py @@ -207,6 +207,11 @@ def test_create_policy_definition_succeeds(mock_azure: AzureCloudProvider): def test_disable_user(mock_azure: AzureCloudProvider): + + assignment_guid = str(uuid4()) + management_group_id = str(uuid4()) + assignment_id = f"/providers/Microsoft.Management/managementGroups/{management_group_id}/providers/Microsoft.Authorization/roleAssignments/{assignment_guid}" + mock_result = Mock() mock_result.json.return_value = { "properties": { @@ -214,9 +219,9 @@ def test_disable_user(mock_azure: AzureCloudProvider): "principalId": "Pid", "scope": "/subscriptions/subId/resourcegroups/rgname", }, - "id": "/subscriptions/subId/resourcegroups/rgname/providers/Microsoft.Authorization/roleAssignments/roleassignmentId", + "id": assignment_id, "type": "Microsoft.Authorization/roleAssignments", - "name": "roleassignmentId", + "name": assignment_guid, } mock_result.status_code = 200 @@ -235,17 +240,15 @@ def test_disable_user(mock_azure: AzureCloudProvider): mock_azure = mock_get_secret(mock_azure) tenant_id = "60ff9d34-82bf-4f21-b565-308ef0533435" - cloud_id = "roleassignmentId" - with pytest.raises(ConnectionException): - mock_azure.disable_user(tenant_id, cloud_id) + mock_azure.disable_user(tenant_id, assignment_guid) with pytest.raises(ConnectionException): - mock_azure.disable_user(tenant_id, cloud_id) + mock_azure.disable_user(tenant_id, assignment_guid) with pytest.raises(UnknownServerException, match=r".*500 Server Error.*"): - mock_azure.disable_user(tenant_id, cloud_id) + mock_azure.disable_user(tenant_id, assignment_guid) - result = mock_azure.disable_user(tenant_id, cloud_id) - assert result.get("name") == cloud_id + result = mock_azure.disable_user(tenant_id, assignment_guid) + assert result.get("name") == assignment_guid def test_create_tenant(mock_azure: AzureCloudProvider): From e9d120ecae307a19f92c5bc671792d32177c635d Mon Sep 17 00:00:00 2001 From: Philip Kalinsky Date: Tue, 25 Feb 2020 13:46:09 -0500 Subject: [PATCH 03/13] rename csp method disable_user arg --- atst/domain/csp/cloud/azure_cloud_provider.py | 4 ++-- atst/domain/csp/cloud/mock_cloud_provider.py | 2 +- tests/domain/cloud/test_azure_csp.py | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/atst/domain/csp/cloud/azure_cloud_provider.py b/atst/domain/csp/cloud/azure_cloud_provider.py index ba799fe4..af893df2 100644 --- a/atst/domain/csp/cloud/azure_cloud_provider.py +++ b/atst/domain/csp/cloud/azure_cloud_provider.py @@ -311,7 +311,7 @@ class AzureCloudProvider(CloudProviderInterface): management_group_id=management_group_id, ) - def disable_user(self, tenant_id, cloud_id): + def disable_user(self, tenant_id, role_assignment_cloud_id): sp_token = self._get_tenant_principal_token(tenant_id) if sp_token is None: raise AuthenticationException("Could not resolve token in disable user") @@ -321,7 +321,7 @@ class AzureCloudProvider(CloudProviderInterface): try: result = self.sdk.requests.delete( - f"{self.sdk.cloud.endpoints.resource_manager}/{cloud_id}?api-version=2015-07-01", + f"{self.sdk.cloud.endpoints.resource_manager}/{role_assignment_cloud_id}?api-version=2015-07-01", headers=headers, timeout=30, ) diff --git a/atst/domain/csp/cloud/mock_cloud_provider.py b/atst/domain/csp/cloud/mock_cloud_provider.py index 87f78b3b..f73044f5 100644 --- a/atst/domain/csp/cloud/mock_cloud_provider.py +++ b/atst/domain/csp/cloud/mock_cloud_provider.py @@ -417,7 +417,7 @@ class MockCloudProvider(CloudProviderInterface): self._maybe_raise(self.UNAUTHORIZED_RATE, self.AUTHORIZATION_EXCEPTION) return self._id() - def disable_user(self, tenant_id, cloud_id): + def disable_user(self, tenant_id, role_assignment_cloud_id): self._authorize(auth_credentials) self._maybe_raise(self.NETWORK_FAILURE_PCT, self.NETWORK_EXCEPTION) self._maybe_raise(self.SERVER_FAILURE_PCT, self.SERVER_EXCEPTION) diff --git a/tests/domain/cloud/test_azure_csp.py b/tests/domain/cloud/test_azure_csp.py index 3592f2d4..de085100 100644 --- a/tests/domain/cloud/test_azure_csp.py +++ b/tests/domain/cloud/test_azure_csp.py @@ -210,7 +210,7 @@ def test_disable_user(mock_azure: AzureCloudProvider): assignment_guid = str(uuid4()) management_group_id = str(uuid4()) - assignment_id = f"/providers/Microsoft.Management/managementGroups/{management_group_id}/providers/Microsoft.Authorization/roleAssignments/{assignment_guid}" + assignment_id = f"/providers/Microsoft.Management/managementGroups/{management_group_id}/providers/Microsoft.Authorization/roleAssignments/{assignment_guid}" mock_result = Mock() mock_result.json.return_value = { From d6270319028fda21e3697241bec51182d17f7c54 Mon Sep 17 00:00:00 2001 From: Philip Kalinsky Date: Wed, 26 Feb 2020 08:56:52 -0500 Subject: [PATCH 04/13] mock csp disable user test correct variable names --- atst/domain/csp/cloud/mock_cloud_provider.py | 4 ++-- tests/domain/cloud/test_mock_csp.py | 4 +++- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/atst/domain/csp/cloud/mock_cloud_provider.py b/atst/domain/csp/cloud/mock_cloud_provider.py index f73044f5..b8bae79d 100644 --- a/atst/domain/csp/cloud/mock_cloud_provider.py +++ b/atst/domain/csp/cloud/mock_cloud_provider.py @@ -417,14 +417,14 @@ class MockCloudProvider(CloudProviderInterface): self._maybe_raise(self.UNAUTHORIZED_RATE, self.AUTHORIZATION_EXCEPTION) return self._id() - def disable_user(self, tenant_id, role_assignment_cloud_id): + def disable_user(self, auth_credentials, tenant_id, role_assignment_cloud_id): self._authorize(auth_credentials) self._maybe_raise(self.NETWORK_FAILURE_PCT, self.NETWORK_EXCEPTION) self._maybe_raise(self.SERVER_FAILURE_PCT, self.SERVER_EXCEPTION) self._maybe_raise( self.ATAT_ADMIN_CREATE_FAILURE_PCT, - UserRemovalException(csp_user_id, "Could not disable user."), + UserRemovalException(tenant_id, "Could not disable user."), ) return self._maybe(12) diff --git a/tests/domain/cloud/test_mock_csp.py b/tests/domain/cloud/test_mock_csp.py index 098e91b1..fb66b153 100644 --- a/tests/domain/cloud/test_mock_csp.py +++ b/tests/domain/cloud/test_mock_csp.py @@ -79,4 +79,6 @@ def test_create_or_update_user(mock_csp: MockCloudProvider): def test_disable_user(mock_csp: MockCloudProvider): - assert mock_csp.disable_user(CREDENTIALS, "csp_user_id") + assert mock_csp.disable_user( + CREDENTIALS, "tenant_id", "role_assignment_cloud_id" + ) From d73ac79246d139e4c9189bf1c4744e674d8f540c Mon Sep 17 00:00:00 2001 From: Philip Kalinsky Date: Wed, 26 Feb 2020 08:57:45 -0500 Subject: [PATCH 05/13] mock csp disable user test correct variable names. formatting. --- tests/domain/cloud/test_mock_csp.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/tests/domain/cloud/test_mock_csp.py b/tests/domain/cloud/test_mock_csp.py index fb66b153..ad029ac2 100644 --- a/tests/domain/cloud/test_mock_csp.py +++ b/tests/domain/cloud/test_mock_csp.py @@ -79,6 +79,4 @@ def test_create_or_update_user(mock_csp: MockCloudProvider): def test_disable_user(mock_csp: MockCloudProvider): - assert mock_csp.disable_user( - CREDENTIALS, "tenant_id", "role_assignment_cloud_id" - ) + assert mock_csp.disable_user(CREDENTIALS, "tenant_id", "role_assignment_cloud_id") From 3add633d97c9f1b2337fa071eb547f06ca38fea5 Mon Sep 17 00:00:00 2001 From: Philip Kalinsky Date: Thu, 27 Feb 2020 12:30:55 -0500 Subject: [PATCH 06/13] csp disable_user method signature update --- atst/domain/csp/cloud/cloud_provider_interface.py | 6 +++--- atst/domain/csp/cloud/mock_cloud_provider.py | 3 +-- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/atst/domain/csp/cloud/cloud_provider_interface.py b/atst/domain/csp/cloud/cloud_provider_interface.py index 250ac6ef..39ac6662 100644 --- a/atst/domain/csp/cloud/cloud_provider_interface.py +++ b/atst/domain/csp/cloud/cloud_provider_interface.py @@ -54,13 +54,13 @@ class CloudProviderInterface: # pragma: no cover """ raise NotImplementedError() - def disable_user(self, auth_credentials: Dict, csp_user_id: str) -> bool: + def disable_user(self, tenant_id: str, role_assignment_cloud_id: str) -> bool: """Revoke all privileges for a user. Used to prevent user access while a full delete is being processed. Arguments: - auth_credentials -- Object containing CSP account credentials - csp_user_id -- CSP internal user identifier + tenant_id -- CSP internal tenant identifier + role_assignment_cloud_id -- CSP name of the role assignment to delete. Returns: bool -- True on success diff --git a/atst/domain/csp/cloud/mock_cloud_provider.py b/atst/domain/csp/cloud/mock_cloud_provider.py index b8bae79d..01cf3bfd 100644 --- a/atst/domain/csp/cloud/mock_cloud_provider.py +++ b/atst/domain/csp/cloud/mock_cloud_provider.py @@ -417,8 +417,7 @@ class MockCloudProvider(CloudProviderInterface): self._maybe_raise(self.UNAUTHORIZED_RATE, self.AUTHORIZATION_EXCEPTION) return self._id() - def disable_user(self, auth_credentials, tenant_id, role_assignment_cloud_id): - self._authorize(auth_credentials) + def disable_user(self, tenant_id, role_assignment_cloud_id): self._maybe_raise(self.NETWORK_FAILURE_PCT, self.NETWORK_EXCEPTION) self._maybe_raise(self.SERVER_FAILURE_PCT, self.SERVER_EXCEPTION) From ea87fa7308c0ce83e3f891215cc61ed399450480 Mon Sep 17 00:00:00 2001 From: Philip Kalinsky Date: Thu, 20 Feb 2020 13:51:38 -0500 Subject: [PATCH 07/13] azure disable user call --- atst/domain/csp/cloud/azure_cloud_provider.py | 35 ++++++++++++++++ atst/domain/csp/cloud/mock_cloud_provider.py | 2 +- tests/domain/cloud/test_azure_csp.py | 42 +++++++++++++++++++ 3 files changed, 78 insertions(+), 1 deletion(-) diff --git a/atst/domain/csp/cloud/azure_cloud_provider.py b/atst/domain/csp/cloud/azure_cloud_provider.py index 39c2e83a..5a42b8a0 100644 --- a/atst/domain/csp/cloud/azure_cloud_provider.py +++ b/atst/domain/csp/cloud/azure_cloud_provider.py @@ -311,6 +311,41 @@ class AzureCloudProvider(CloudProviderInterface): management_group_id=management_group_id, ) + def disable_user(self, tenant_id, cloud_id): + sp_token = self._get_tenant_principal_token(tenant_id) + if sp_token is None: + raise AuthenticationException("Could not resolve token in disable user") + headers = { + "Authorization": f"Bearer {sp_token}", + } + + try: + result = self.sdk.requests.delete( + f"{self.sdk.cloud.endpoints.resource_manager}providers/Microsoft.Authorization/roleAssignments/{cloud_id}?api-version=2015-07-01", + headers=headers, + timeout=30, + ) + result.raise_for_status() + return result.json() + + except self.sdk.requests.exceptions.ConnectionError: + app.logger.error( + f"Could not disable user. Connection Error", exc_info=1, + ) + raise ConnectionException("connection error azure disable user") + except self.sdk.requests.exceptions.Timeout: + app.logger.error( + f"Could not disable user. Request timed out.", exc_info=1, + ) + raise ConnectionException("timout error azure disable user") + except self.sdk.requests.exceptions.HTTPError as exc: + app.logger.error( + result.status_code, "azure application error disable user", exc_info=1, + ) + raise UnknownServerException( + result.status_code, f"azure application error disable user. {str(exc)}", + ) + def create_tenant(self, payload: TenantCSPPayload): sp_token = self._get_root_provisioning_token() if sp_token is None: diff --git a/atst/domain/csp/cloud/mock_cloud_provider.py b/atst/domain/csp/cloud/mock_cloud_provider.py index a34f40d5..87f78b3b 100644 --- a/atst/domain/csp/cloud/mock_cloud_provider.py +++ b/atst/domain/csp/cloud/mock_cloud_provider.py @@ -417,7 +417,7 @@ class MockCloudProvider(CloudProviderInterface): self._maybe_raise(self.UNAUTHORIZED_RATE, self.AUTHORIZATION_EXCEPTION) return self._id() - def disable_user(self, auth_credentials, csp_user_id): + def disable_user(self, tenant_id, cloud_id): self._authorize(auth_credentials) self._maybe_raise(self.NETWORK_FAILURE_PCT, self.NETWORK_EXCEPTION) self._maybe_raise(self.SERVER_FAILURE_PCT, self.SERVER_EXCEPTION) diff --git a/tests/domain/cloud/test_azure_csp.py b/tests/domain/cloud/test_azure_csp.py index 5deddc63..049b291b 100644 --- a/tests/domain/cloud/test_azure_csp.py +++ b/tests/domain/cloud/test_azure_csp.py @@ -206,6 +206,48 @@ def test_create_policy_definition_succeeds(mock_azure: AzureCloudProvider): ) +def test_disable_user(mock_azure: AzureCloudProvider): + mock_result = Mock() + mock_result.json.return_value = { + "properties": { + "roleDefinitionId": "/subscriptions/subId/providers/Microsoft.Authorization/roleDefinitions/roledefinitionId", + "principalId": "Pid", + "scope": "/subscriptions/subId/resourcegroups/rgname", + }, + "id": "/subscriptions/subId/resourcegroups/rgname/providers/Microsoft.Authorization/roleAssignments/roleassignmentId", + "type": "Microsoft.Authorization/roleAssignments", + "name": "roleassignmentId", + } + + mock_result.status_code = 200 + mock_http_error_resp = mock_requests_response( + status=500, + raise_for_status=mock_azure.sdk.requests.exceptions.HTTPError( + "500 Server Error" + ), + ) + mock_azure.sdk.requests.delete.side_effect = [ + mock_azure.sdk.requests.exceptions.ConnectionError, + mock_azure.sdk.requests.exceptions.Timeout, + mock_http_error_resp, + mock_result, + ] + mock_azure = mock_get_secret(mock_azure) + + tenant_id = "60ff9d34-82bf-4f21-b565-308ef0533435" + cloud_id = "roleassignmentId" + + with pytest.raises(ConnectionException): + mock_azure.disable_user(tenant_id, cloud_id) + with pytest.raises(ConnectionException): + mock_azure.disable_user(tenant_id, cloud_id) + with pytest.raises(UnknownServerException, match=r".*500 Server Error.*"): + mock_azure.disable_user(tenant_id, cloud_id) + + result = mock_azure.disable_user(tenant_id, cloud_id) + assert result.get("name") == cloud_id + + def test_create_tenant(mock_azure: AzureCloudProvider): mock_result = Mock() mock_result.json.return_value = { From 7a49afafd971f5c23cf7a513b33dd93af813f464 Mon Sep 17 00:00:00 2001 From: Philip Kalinsky Date: Thu, 20 Feb 2020 14:22:05 -0500 Subject: [PATCH 08/13] azure disable_user update url, assignment id --- atst/domain/csp/cloud/azure_cloud_provider.py | 2 +- tests/domain/cloud/test_azure_csp.py | 21 +++++++++++-------- 2 files changed, 13 insertions(+), 10 deletions(-) diff --git a/atst/domain/csp/cloud/azure_cloud_provider.py b/atst/domain/csp/cloud/azure_cloud_provider.py index 5a42b8a0..ba799fe4 100644 --- a/atst/domain/csp/cloud/azure_cloud_provider.py +++ b/atst/domain/csp/cloud/azure_cloud_provider.py @@ -321,7 +321,7 @@ class AzureCloudProvider(CloudProviderInterface): try: result = self.sdk.requests.delete( - f"{self.sdk.cloud.endpoints.resource_manager}providers/Microsoft.Authorization/roleAssignments/{cloud_id}?api-version=2015-07-01", + f"{self.sdk.cloud.endpoints.resource_manager}/{cloud_id}?api-version=2015-07-01", headers=headers, timeout=30, ) diff --git a/tests/domain/cloud/test_azure_csp.py b/tests/domain/cloud/test_azure_csp.py index 049b291b..3592f2d4 100644 --- a/tests/domain/cloud/test_azure_csp.py +++ b/tests/domain/cloud/test_azure_csp.py @@ -207,6 +207,11 @@ def test_create_policy_definition_succeeds(mock_azure: AzureCloudProvider): def test_disable_user(mock_azure: AzureCloudProvider): + + assignment_guid = str(uuid4()) + management_group_id = str(uuid4()) + assignment_id = f"/providers/Microsoft.Management/managementGroups/{management_group_id}/providers/Microsoft.Authorization/roleAssignments/{assignment_guid}" + mock_result = Mock() mock_result.json.return_value = { "properties": { @@ -214,9 +219,9 @@ def test_disable_user(mock_azure: AzureCloudProvider): "principalId": "Pid", "scope": "/subscriptions/subId/resourcegroups/rgname", }, - "id": "/subscriptions/subId/resourcegroups/rgname/providers/Microsoft.Authorization/roleAssignments/roleassignmentId", + "id": assignment_id, "type": "Microsoft.Authorization/roleAssignments", - "name": "roleassignmentId", + "name": assignment_guid, } mock_result.status_code = 200 @@ -235,17 +240,15 @@ def test_disable_user(mock_azure: AzureCloudProvider): mock_azure = mock_get_secret(mock_azure) tenant_id = "60ff9d34-82bf-4f21-b565-308ef0533435" - cloud_id = "roleassignmentId" - with pytest.raises(ConnectionException): - mock_azure.disable_user(tenant_id, cloud_id) + mock_azure.disable_user(tenant_id, assignment_guid) with pytest.raises(ConnectionException): - mock_azure.disable_user(tenant_id, cloud_id) + mock_azure.disable_user(tenant_id, assignment_guid) with pytest.raises(UnknownServerException, match=r".*500 Server Error.*"): - mock_azure.disable_user(tenant_id, cloud_id) + mock_azure.disable_user(tenant_id, assignment_guid) - result = mock_azure.disable_user(tenant_id, cloud_id) - assert result.get("name") == cloud_id + result = mock_azure.disable_user(tenant_id, assignment_guid) + assert result.get("name") == assignment_guid def test_create_tenant(mock_azure: AzureCloudProvider): From 90bf69afd39a3180cfff840e14aa307b651515f9 Mon Sep 17 00:00:00 2001 From: Philip Kalinsky Date: Tue, 25 Feb 2020 13:46:09 -0500 Subject: [PATCH 09/13] rename csp method disable_user arg --- atst/domain/csp/cloud/azure_cloud_provider.py | 4 ++-- atst/domain/csp/cloud/mock_cloud_provider.py | 2 +- tests/domain/cloud/test_azure_csp.py | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/atst/domain/csp/cloud/azure_cloud_provider.py b/atst/domain/csp/cloud/azure_cloud_provider.py index ba799fe4..af893df2 100644 --- a/atst/domain/csp/cloud/azure_cloud_provider.py +++ b/atst/domain/csp/cloud/azure_cloud_provider.py @@ -311,7 +311,7 @@ class AzureCloudProvider(CloudProviderInterface): management_group_id=management_group_id, ) - def disable_user(self, tenant_id, cloud_id): + def disable_user(self, tenant_id, role_assignment_cloud_id): sp_token = self._get_tenant_principal_token(tenant_id) if sp_token is None: raise AuthenticationException("Could not resolve token in disable user") @@ -321,7 +321,7 @@ class AzureCloudProvider(CloudProviderInterface): try: result = self.sdk.requests.delete( - f"{self.sdk.cloud.endpoints.resource_manager}/{cloud_id}?api-version=2015-07-01", + f"{self.sdk.cloud.endpoints.resource_manager}/{role_assignment_cloud_id}?api-version=2015-07-01", headers=headers, timeout=30, ) diff --git a/atst/domain/csp/cloud/mock_cloud_provider.py b/atst/domain/csp/cloud/mock_cloud_provider.py index 87f78b3b..f73044f5 100644 --- a/atst/domain/csp/cloud/mock_cloud_provider.py +++ b/atst/domain/csp/cloud/mock_cloud_provider.py @@ -417,7 +417,7 @@ class MockCloudProvider(CloudProviderInterface): self._maybe_raise(self.UNAUTHORIZED_RATE, self.AUTHORIZATION_EXCEPTION) return self._id() - def disable_user(self, tenant_id, cloud_id): + def disable_user(self, tenant_id, role_assignment_cloud_id): self._authorize(auth_credentials) self._maybe_raise(self.NETWORK_FAILURE_PCT, self.NETWORK_EXCEPTION) self._maybe_raise(self.SERVER_FAILURE_PCT, self.SERVER_EXCEPTION) diff --git a/tests/domain/cloud/test_azure_csp.py b/tests/domain/cloud/test_azure_csp.py index 3592f2d4..de085100 100644 --- a/tests/domain/cloud/test_azure_csp.py +++ b/tests/domain/cloud/test_azure_csp.py @@ -210,7 +210,7 @@ def test_disable_user(mock_azure: AzureCloudProvider): assignment_guid = str(uuid4()) management_group_id = str(uuid4()) - assignment_id = f"/providers/Microsoft.Management/managementGroups/{management_group_id}/providers/Microsoft.Authorization/roleAssignments/{assignment_guid}" + assignment_id = f"/providers/Microsoft.Management/managementGroups/{management_group_id}/providers/Microsoft.Authorization/roleAssignments/{assignment_guid}" mock_result = Mock() mock_result.json.return_value = { From a977beb7f6c99de70f02f949188d450c609262ff Mon Sep 17 00:00:00 2001 From: Philip Kalinsky Date: Wed, 26 Feb 2020 08:56:52 -0500 Subject: [PATCH 10/13] mock csp disable user test correct variable names --- atst/domain/csp/cloud/mock_cloud_provider.py | 4 ++-- tests/domain/cloud/test_mock_csp.py | 4 +++- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/atst/domain/csp/cloud/mock_cloud_provider.py b/atst/domain/csp/cloud/mock_cloud_provider.py index f73044f5..b8bae79d 100644 --- a/atst/domain/csp/cloud/mock_cloud_provider.py +++ b/atst/domain/csp/cloud/mock_cloud_provider.py @@ -417,14 +417,14 @@ class MockCloudProvider(CloudProviderInterface): self._maybe_raise(self.UNAUTHORIZED_RATE, self.AUTHORIZATION_EXCEPTION) return self._id() - def disable_user(self, tenant_id, role_assignment_cloud_id): + def disable_user(self, auth_credentials, tenant_id, role_assignment_cloud_id): self._authorize(auth_credentials) self._maybe_raise(self.NETWORK_FAILURE_PCT, self.NETWORK_EXCEPTION) self._maybe_raise(self.SERVER_FAILURE_PCT, self.SERVER_EXCEPTION) self._maybe_raise( self.ATAT_ADMIN_CREATE_FAILURE_PCT, - UserRemovalException(csp_user_id, "Could not disable user."), + UserRemovalException(tenant_id, "Could not disable user."), ) return self._maybe(12) diff --git a/tests/domain/cloud/test_mock_csp.py b/tests/domain/cloud/test_mock_csp.py index 50320da3..11ed7454 100644 --- a/tests/domain/cloud/test_mock_csp.py +++ b/tests/domain/cloud/test_mock_csp.py @@ -79,4 +79,6 @@ def test_create_or_update_user(mock_csp: MockCloudProvider): def test_disable_user(mock_csp: MockCloudProvider): - assert mock_csp.disable_user(CREDENTIALS, "csp_user_id") + assert mock_csp.disable_user( + CREDENTIALS, "tenant_id", "role_assignment_cloud_id" + ) From b99d41e4a0c10c50ec1a2a8a803d80cb8a91b2bf Mon Sep 17 00:00:00 2001 From: Philip Kalinsky Date: Wed, 26 Feb 2020 08:57:45 -0500 Subject: [PATCH 11/13] mock csp disable user test correct variable names. formatting. --- tests/domain/cloud/test_mock_csp.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/tests/domain/cloud/test_mock_csp.py b/tests/domain/cloud/test_mock_csp.py index 11ed7454..6923baf5 100644 --- a/tests/domain/cloud/test_mock_csp.py +++ b/tests/domain/cloud/test_mock_csp.py @@ -79,6 +79,4 @@ def test_create_or_update_user(mock_csp: MockCloudProvider): def test_disable_user(mock_csp: MockCloudProvider): - assert mock_csp.disable_user( - CREDENTIALS, "tenant_id", "role_assignment_cloud_id" - ) + assert mock_csp.disable_user(CREDENTIALS, "tenant_id", "role_assignment_cloud_id") From c0ea4838294f8826c7facb26efbbf06244ac1608 Mon Sep 17 00:00:00 2001 From: Philip Kalinsky Date: Thu, 27 Feb 2020 12:30:55 -0500 Subject: [PATCH 12/13] csp disable_user method signature update --- atst/domain/csp/cloud/cloud_provider_interface.py | 6 +++--- atst/domain/csp/cloud/mock_cloud_provider.py | 3 +-- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/atst/domain/csp/cloud/cloud_provider_interface.py b/atst/domain/csp/cloud/cloud_provider_interface.py index 250ac6ef..39ac6662 100644 --- a/atst/domain/csp/cloud/cloud_provider_interface.py +++ b/atst/domain/csp/cloud/cloud_provider_interface.py @@ -54,13 +54,13 @@ class CloudProviderInterface: # pragma: no cover """ raise NotImplementedError() - def disable_user(self, auth_credentials: Dict, csp_user_id: str) -> bool: + def disable_user(self, tenant_id: str, role_assignment_cloud_id: str) -> bool: """Revoke all privileges for a user. Used to prevent user access while a full delete is being processed. Arguments: - auth_credentials -- Object containing CSP account credentials - csp_user_id -- CSP internal user identifier + tenant_id -- CSP internal tenant identifier + role_assignment_cloud_id -- CSP name of the role assignment to delete. Returns: bool -- True on success diff --git a/atst/domain/csp/cloud/mock_cloud_provider.py b/atst/domain/csp/cloud/mock_cloud_provider.py index b8bae79d..01cf3bfd 100644 --- a/atst/domain/csp/cloud/mock_cloud_provider.py +++ b/atst/domain/csp/cloud/mock_cloud_provider.py @@ -417,8 +417,7 @@ class MockCloudProvider(CloudProviderInterface): self._maybe_raise(self.UNAUTHORIZED_RATE, self.AUTHORIZATION_EXCEPTION) return self._id() - def disable_user(self, auth_credentials, tenant_id, role_assignment_cloud_id): - self._authorize(auth_credentials) + def disable_user(self, tenant_id, role_assignment_cloud_id): self._maybe_raise(self.NETWORK_FAILURE_PCT, self.NETWORK_EXCEPTION) self._maybe_raise(self.SERVER_FAILURE_PCT, self.SERVER_EXCEPTION) From 4ed12401400ebd22d4047536b716ab62fcf532f7 Mon Sep 17 00:00:00 2001 From: Philip Kalinsky Date: Thu, 27 Feb 2020 13:13:32 -0500 Subject: [PATCH 13/13] csp disable user mock_csp test update call --- tests/domain/cloud/test_mock_csp.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/domain/cloud/test_mock_csp.py b/tests/domain/cloud/test_mock_csp.py index 6923baf5..875124d7 100644 --- a/tests/domain/cloud/test_mock_csp.py +++ b/tests/domain/cloud/test_mock_csp.py @@ -79,4 +79,4 @@ def test_create_or_update_user(mock_csp: MockCloudProvider): def test_disable_user(mock_csp: MockCloudProvider): - assert mock_csp.disable_user(CREDENTIALS, "tenant_id", "role_assignment_cloud_id") + assert mock_csp.disable_user("tenant_id", "role_assignment_cloud_id")