search

dalibo / ldap2pg

:elephant: :busts_in_silhouette: Manage PostgreSQL roles and privileges from YAML or LDAP
https://labs.dalibo.com/ldap2pg
PostgreSQL License
206 stars 33 forks source link

FAILED tests/func/test_sample.py::test_real_mode - AssertionError: assert 'daniel' in ['owners'] #499

Closed qudong521 closed 1 year ago

qudong521 commented 1 year ago

Hello!

I encountered the following error while running pytest. I tried to modify the yml file, but the problem has not been resolved. Can you help me?

FAILED tests/func/test_full.py::test_run - sh.ErrorReturnCode_1:
FAILED tests/func/test_sample.py::test_real_mode - AssertionError: assert 'daniel' in ['owners']

My configuration file is as follows:

#
# This configuration tries to embed most complexities.
#

postgres:
  databases_query: [postgres, appdb, olddb]

  schemas_query: |
    SELECT nspname FROM pg_catalog.pg_namespace
    WHERE nspname = 'pg_catalog' OR nspname NOT LIKE 'pg_%'

  managed_roles_query: |
    SELECT 'public'
    UNION
    SELECT DISTINCT role.rolname
    FROM pg_roles AS role
    LEFT OUTER JOIN pg_auth_members AS ms ON ms.member = role.oid
    LEFT OUTER JOIN pg_roles AS ldap_roles
      ON ldap_roles.rolname = 'ldap_roles' AND ldap_roles.oid = ms.roleid
    WHERE role.rolname IN ('ldap_roles', 'DBA', 'readers', 'writers', 'owners')
        OR ldap_roles.oid IS NOT NULL
    ORDER BY 1;

  owners_query: |
    SELECT DISTINCT role.rolname
    FROM pg_catalog.pg_roles AS role
    JOIN pg_catalog.pg_auth_members AS ms ON ms.member = role.oid
    JOIN pg_catalog.pg_roles AS owners
      ON owners.rolname = 'owners' AND owners.oid = ms.roleid
    ORDER BY 1;

  roles_blacklist_query: |
    VALUES
    ('postgres'),
    ('pg_*'),
    ('rds_*')
    ;

privileges:
  ro:
  - __connect__
  # Revoking __execute__ on public restores some grants that need a second run
  # to be revoked. Disable it to not handle this case.
  # - __execute__
  - __select_on_tables__
  - __select_on_sequences__
  - __usage_on_schemas__
  - __usage_on_types__

  rw:
  - __temporary__
  - __all_on_tables__
  - __all_on_sequences__

  ddl:
  - __create_on_schemas__

sync_map:
- roles:
  - names:
    - Alan
    - ldap_roles
    - readers
    options: NOLOGIN
    comment: Custom static comment.
  - name: writers
    parent: readers
    options: NOLOGIN
  - name: owners
    parent: writers
    options: NOLOGIN
  - name: DBA
    options: NOLOGIN
  grant:
  - privilege: ro
    role: readers
  - privilege: rw
    role: writers
    schema: public
  - privilege: ddl
    role: owners
    schema: public
  - privilege: rw
    role: owners
    schema: pg_catalog
  - privilege: rw
    role: writers
    database: appdb
    schema: appns
  - privilege: ddl
    role: owners
    database: appdb
    schema: appns
  - privilege: ddl
    role: daniel
    schema: appns

- ldapsearch:
    base: ou=People,dc=example,dc=com
    filter: "(cn=dba)"
    joins:
      member:
        filter: "(mail=*)"
  role:
    name: '{member.cn}'
    options: LOGIN SUPERUSER
    parent:
    - ldap_roles
    - owners
    - DBA
    # Triggers a join.
    comment: "mail: {member.mail}"

- ldapsearch:
    base: ou=People,dc=example,dc=com
    filter: "(cn=team*)"
    on_unexpected_dn: warn
  role:
    name: '{member.cn}'
    options: LOGIN
    parent:
    - ldap_roles
    - writers
ldap:
  uri: ldap://ldap.example.com:389
  binddn: cn=admin,dc=example,dc=com
  password: 123456

I have manually made many modifications, but the issue has not been resolved. The file above is the version I currently maintain with the least number of issues. I hope you can give me some guidance, and I would be very grateful.

qudong521 commented 1 year ago

Sorry, I'm a newcomer. I asked some childish questions for my first contact,

bersace commented 1 year ago

Sorry, I'm a newcomer. I asked some childish questions for my first contact,

There is no problem to being a newcomer. You're welcome !

bersace commented 1 year ago

I'll take a look at this later, sorry for the delay.

qudong521 commented 1 year ago

Add some information:

__________________________________________________________________________________________________________________________________ test_run ___________________________________________________________________________________________________________________________________

psql = <conftest.PSQL object at 0x7f7eb4615ba8>

    def test_run(psql):
        # type: (PSQL) -> None

        from sh import ldap2pg
        c = 'tests/func/ldap2pg.full.yml'

        # Ensure database is not sync.
        ldap2pg('-C', c=c, _ok_code=1)

        # Synchronize all
        ldap2pg('-N', c=c)
        ldap2pg('-C', c=c)

        roles = list(psql.roles())

        print(roles)

        assert 'Alan' in roles
        assert 'oscar' not in roles

        assert 'ALICE' in psql.superusers()

        writers = list(psql.members('writers'))

        print(writers)

>       assert 'daniel' in writers
E       AssertionError: assert 'daniel' in ['owners']

c          = 'tests/func/ldap2pg.full.yml'
ldap2pg    = <Command '/usr/local/bin/ldap2pg'>
psql       = <conftest.PSQL object at 0x7f7eb4615ba8>
roles      = ['pg_database_owner',
 'pg_read_all_data',
 'pg_write_all_data',
 'pg_monitor',
 'pg_read_all_settings',
 'pg_read_all_stats',
 'pg_stat_scan_tables',
 'pg_read_server_files',
 'pg_write_server_files',
 'pg_execute_server_program',
 'pg_signal_backend',
 'pg_checkpoint',
 'nonsuper',
 'ldap_roles',
 'app',
 'daniel',
 'david',
 'denis',
 'ALICE',
 'keepme',
 'kevin',
 'owners',
 'writers',
 'readers',
 'postgres',
 'DBA',
 'Alan']
writers    = ['owners']

tests/func/test_full.py:33: AssertionError
============================================================================================================================== warnings summary ===============================================================================================================================
../../../usr/local/lib/python3.6/site-packages/_pytest/cacheprovider.py:433
  /usr/local/lib/python3.6/site-packages/_pytest/cacheprovider.py:433: PytestCacheWarning: cache could not write path /home/package/ldap2pg-master/tests/func/.pytest_cache/v/cache/nodeids
    config.cache.set("cache/nodeids", sorted(self.cached_nodeids))

../../../usr/local/lib/python3.6/site-packages/_pytest/cacheprovider.py:387
  /usr/local/lib/python3.6/site-packages/_pytest/cacheprovider.py:387: PytestCacheWarning: cache could not write path /home/package/ldap2pg-master/tests/func/.pytest_cache/v/cache/lastfailed
    config.cache.set("cache/lastfailed", self.lastfailed)

../../../usr/local/lib/python3.6/site-packages/_pytest/stepwise.py:52
  /usr/local/lib/python3.6/site-packages/_pytest/stepwise.py:52: PytestCacheWarning: cache could not write path /home/package/ldap2pg-master/tests/func/.pytest_cache/v/cache/stepwise
    session.config.cache.set(STEPWISE_CACHE_DIR, [])

-- Docs: https://docs.pytest.org/en/stable/how-to/capture-warnings.html
=========================================================================================================================== short test summary info ===========================================================================================================================
FAILED tests/func/test_full.py::test_run - AssertionError: assert 'daniel' in ['owners']
FAILED tests/func/test_sample.py::test_real_mode - AssertionError: assert 'daniel' in ['owners']
================================================================================================================== 2 failed, 7 passed, 3 warnings in 19.74s ===================================================================================================================
[postgres@MiWiFi-R3G-srv ldap2pg-master]$
bersace commented 1 year ago

What is the output of \du+ in psql ?

Use pytest --pdb to stop test on failure before cleanup.

qudong521 commented 1 year ago

Now this is the result:

[postgres@MiWiFi-R3G-srv ldap2pg-master]$ psql
psql (15.2)
Type "help" for help.

postgres=# \du
                                    List of roles
 Role name  |                         Attributes                         | Member of
------------+------------------------------------------------------------+-----------
 ALICE      | Superuser, Cannot login                                    | {app}
 Alan       | Cannot login                                               | {}
 DBA        | Cannot login                                               | {}
 app        | Cannot login                                               | {}
 daniel     |                                                            | {}
 david      |                                                            | {}
 denis      |                                                            | {}
 keepme     | Cannot login                                               | {}
 kevin      | Cannot login                                               | {}
 ldap_roles | Cannot login                                               | {}
 nonsuper   | Create role, Create DB                                     | {}
 owners     | Cannot login                                               | {writers}
 postgres   | Superuser, Create role, Create DB, Replication, Bypass RLS | {}
 readers    | Cannot login                                               | {}
 writers    | Cannot login                                               | {readers}

postgres=# \q

But when I modified the configuration file, I added:

-Name: daniel
Parent: writers

After this, the testing changed:

___________________________________________________________ test_run ___________________________________________________________

psql = <conftest.PSQL object at 0x7f90c25c6d68>

    def test_run(psql):
        # type: (PSQL) -> None

        from sh import ldap2pg
        c = 'tests/func/ldap2pg.full.yml'

        # Ensure database is not sync.
        ldap2pg('-C', c=c, _ok_code=1)

        # Synchronize all
        ldap2pg('-N', c=c)
>       ldap2pg('-C', c=c)

c          = 'tests/func/ldap2pg.full.yml'
ldap2pg    = <Command '/usr/local/bin/ldap2pg'>
psql       = <conftest.PSQL object at 0x7f90c25c6d68>

tests/func/test_full.py:18:

[postgres@MiWiFi-R3G-srv ldap2pg-master]$ psql
psql (15.2)
Type "help" for help.

postgres=# \du
                                    List of roles
 Role name  |                         Attributes                         | Member of
------------+------------------------------------------------------------+-----------
 ALICE      | Superuser, Cannot login                                    | {app}
 Alan       | Cannot login                                               | {}
 DBA        | Cannot login                                               | {}
 app        | Cannot login                                               | {}
 daniel     | Cannot login                                               | {writers}
 david      |                                                            | {}
 denis      |                                                            | {}
 keepme     | Cannot login                                               | {}
 kevin      | Cannot login                                               | {}
 ldap_roles | Cannot login                                               | {}
 nonsuper   | Create role, Create DB                                     | {}
 owners     | Cannot login                                               | {writers}
 postgres   | Superuser, Create role, Create DB, Replication, Bypass RLS | {}
 readers    | Cannot login                                               | {}
 writers    | Cannot login                                               | {readers}

postgres=#
qudong521 commented 1 year ago

Haha. I have resolved the issue, but there is a missing entry in my ldap service configuration. Thank you very much. Now close the issue.