Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

165 Validate role service partially also in wait_for_deps.py #995

Merged
merged 4 commits into from
Jan 5, 2024
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
Move validate_role_service to layman_start_util.py
jirik committed Jan 5, 2024
commit 6a8cd934cdf7ac1988caef459115fe22edb8ff9a
2 changes: 1 addition & 1 deletion src/layman/__init__.py
Original file line number Diff line number Diff line change
@@ -7,6 +7,7 @@
from redis import WatchError

import layman_settings as settings
from layman_start_util import validate_role_service

IN_CELERY_WORKER_PROCESS = sys.argv and sys.argv[0].endswith('/celery/__main__.py')
IN_PYTEST_PROCESS = sys.argv and sys.argv[0].endswith('/pytest/__main__.py')
@@ -129,7 +130,6 @@
set_after_restart()

logger.info(f'Validate Role service data')
from .authz.role_service import validate_role_service
validate_role_service()

pipe.multi()
76 changes: 0 additions & 76 deletions src/layman/authz/role_service.py
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
import logging

from db import util as db_util
from geoserver import util as gs_util
from layman import settings

logger = logging.getLogger(__name__)
@@ -39,78 +38,3 @@ def get_all_roles():
"""
roles = db_util.run_query(query, ('ADMIN', 'GROUP_ADMIN', settings.LAYMAN_GS_ROLE, ROLE_NAME_PATTERN), uri_str=settings.LAYMAN_ROLE_SERVICE_URI)
return [role[0] for role in roles] + [settings.RIGHTS_EVERYONE_ROLE]


def validate_role_table():
expected_roles = ['ADMIN', 'GROUP_ADMIN', settings.LAYMAN_GS_ROLE]
query = f"""
select unnest(%s)
EXCEPT
select name
from {settings.LAYMAN_ROLE_SERVICE_SCHEMA}.roles
"""
roles = db_util.run_query(query, (expected_roles,), uri_str=settings.LAYMAN_ROLE_SERVICE_URI)
if roles:
raise Exception(f"Missing roles in JDBC Role service: {[role[0] for role in roles]}")

query = f"""
select name
from {settings.LAYMAN_ROLE_SERVICE_SCHEMA}.roles
where name !~ %s
"""
roles = db_util.run_query(query, (ROLE_NAME_PATTERN,), uri_str=settings.LAYMAN_ROLE_SERVICE_URI)
if roles:
raise Exception(f"Roles not matching pattern '{ROLE_NAME_PATTERN}' in JDBC Role service: {[role[0] for role in roles]}")

not_expected_roles = [settings.RIGHTS_EVERYONE_ROLE, ] + gs_util.RESERVED_ROLE_NAMES
query = f"""
select name
from {settings.LAYMAN_ROLE_SERVICE_SCHEMA}.roles
where name = any(%s)
"""
roles = db_util.run_query(query, (not_expected_roles,), uri_str=settings.LAYMAN_ROLE_SERVICE_URI)
if roles:
raise Exception(f"Roles {not_expected_roles} should not be in JDBC Role service.")

query = f"""
select name
from {settings.LAYMAN_ROLE_SERVICE_SCHEMA}.roles
where parent is not null
"""
roles = db_util.run_query(query, uri_str=settings.LAYMAN_ROLE_SERVICE_URI)
if roles:
raise Exception(f"Roles in JDBC Role service should not have parent column filled: {[role[0] for role in roles]}.")


def validate_user_roles_table():
exp_relation = [(settings.LAYMAN_GS_USER, 'ADMIN'),
(settings.LAYMAN_GS_USER, settings.LAYMAN_GS_ROLE),
(settings.GEOSERVER_ADMIN_USER, 'ADMIN'),
]
query = f"""
with exp_relations as(
SELECT w.name, %s
FROM {settings.LAYMAN_PRIME_SCHEMA}.users u inner join
{settings.LAYMAN_PRIME_SCHEMA}.workspaces w on u.id_workspace = w.id
UNION ALL
select w.name as username,
concat('USER_', UPPER(w.name)) as rolename
from {settings.LAYMAN_PRIME_SCHEMA}.users u inner join
{settings.LAYMAN_PRIME_SCHEMA}.workspaces w on w.id = u.id_workspace
UNION ALL
select * from unnest (%s, %s) as exp_user_role(username, rolename)
)
select * from exp_relations
except
select username, rolename
from {settings.LAYMAN_ROLE_SERVICE_SCHEMA}.user_roles
"""
user_roles = db_util.run_query(query, (settings.LAYMAN_GS_ROLE, [rel[0] for rel in exp_relation], [rel[1] for rel in exp_relation]), uri_str=settings.LAYMAN_ROLE_SERVICE_URI)
if user_roles:
raise Exception(
f"Missing user-role relation in JDBC Role service table user_roles: {[{'username': user_role[0], 'rolename': user_role[1]} for user_role in user_roles]}")


def validate_role_service():
validate_role_table()
validate_user_roles_table()
79 changes: 79 additions & 0 deletions src/layman_start_util.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
import layman_settings as settings
from db import util as db_util
from geoserver import util as gs_util
from layman.authz.role_service import ROLE_NAME_PATTERN


def validate_role_table():
expected_roles = ['ADMIN', 'GROUP_ADMIN', settings.LAYMAN_GS_ROLE]
query = f"""
select unnest(%s)
EXCEPT
select name
from {settings.LAYMAN_ROLE_SERVICE_SCHEMA}.roles
"""
roles = db_util.run_query(query, (expected_roles,), uri_str=settings.LAYMAN_ROLE_SERVICE_URI)
if roles:
raise Exception(f"Missing roles in JDBC Role service: {[role[0] for role in roles]}")

query = f"""
select name
from {settings.LAYMAN_ROLE_SERVICE_SCHEMA}.roles
where name !~ %s
"""
roles = db_util.run_query(query, (ROLE_NAME_PATTERN,), uri_str=settings.LAYMAN_ROLE_SERVICE_URI)
if roles:
raise Exception(f"Roles not matching pattern '{ROLE_NAME_PATTERN}' in JDBC Role service: {[role[0] for role in roles]}")

not_expected_roles = [settings.RIGHTS_EVERYONE_ROLE, ] + gs_util.RESERVED_ROLE_NAMES
query = f"""
select name
from {settings.LAYMAN_ROLE_SERVICE_SCHEMA}.roles
where name = any(%s)
"""
roles = db_util.run_query(query, (not_expected_roles,), uri_str=settings.LAYMAN_ROLE_SERVICE_URI)
if roles:
raise Exception(f"Roles {not_expected_roles} should not be in JDBC Role service.")

query = f"""
select name
from {settings.LAYMAN_ROLE_SERVICE_SCHEMA}.roles
where parent is not null
"""
roles = db_util.run_query(query, uri_str=settings.LAYMAN_ROLE_SERVICE_URI)
if roles:
raise Exception(f"Roles in JDBC Role service should not have parent column filled: {[role[0] for role in roles]}.")


def validate_user_roles_table():
exp_relation = [(settings.LAYMAN_GS_USER, 'ADMIN'),
(settings.LAYMAN_GS_USER, settings.LAYMAN_GS_ROLE),
(settings.GEOSERVER_ADMIN_USER, 'ADMIN'),
]
query = f"""
with exp_relations as(
SELECT w.name, %s
FROM {settings.LAYMAN_PRIME_SCHEMA}.users u inner join
{settings.LAYMAN_PRIME_SCHEMA}.workspaces w on u.id_workspace = w.id
UNION ALL
select w.name as username,
concat('USER_', UPPER(w.name)) as rolename
from {settings.LAYMAN_PRIME_SCHEMA}.users u inner join
{settings.LAYMAN_PRIME_SCHEMA}.workspaces w on w.id = u.id_workspace
UNION ALL
select * from unnest (%s, %s) as exp_user_role(username, rolename)
)
select * from exp_relations
except
select username, rolename
from {settings.LAYMAN_ROLE_SERVICE_SCHEMA}.user_roles
"""
user_roles = db_util.run_query(query, (settings.LAYMAN_GS_ROLE, [rel[0] for rel in exp_relation], [rel[1] for rel in exp_relation]), uri_str=settings.LAYMAN_ROLE_SERVICE_URI)
if user_roles:
raise Exception(
f"Missing user-role relation in JDBC Role service table user_roles: {[{'username': user_role[0], 'rolename': user_role[1]} for user_role in user_roles]}")


def validate_role_service():
validate_role_table()
validate_user_roles_table()