Badger service: also manage group membership

For the subscriber, demo and admin roles, the badger service now also manages group membership for the role-specific groups.
2016-06-14 15:39:22 +02:00
parent ec7b3159ac
commit ba1f8a4101
2 changed files with 74 additions and 3 deletions
--- a/tests/test_service_badger.py
+++ b/tests/test_service_badger.py
@@ -11,7 +11,8 @@ class BadgerServiceTest(AbstractPillarTest):

        with self.app.test_request_context():
            self.badger, token_doc = service.create_service_account(
-                'serviceaccount@example.com', [u'badger'], {u'badger': [u'succubus']}
+                'serviceaccount@example.com', [u'badger'],
+                {u'badger': [u'succubus', u'subscriber', u'demo']}
            )
            self.badger_token = token_doc['token']

@@ -49,3 +50,33 @@ class BadgerServiceTest(AbstractPillarTest):
        with self.app.test_request_context():
            user = self.app.data.driver.db['users'].find_one(self.user_id)
            self.assertNotIn(u'admin', user['roles'])
+
+    def test_group_membership(self):
+        """Certain roles are linked to certain groups."""
+
+        def test_for_group(group_name, test=self.assertIn):
+            # Create the group
+            with self.app.test_request_context():
+                groups_coll = self.app.data.driver.db['groups']
+                result = groups_coll.insert_one({'name': group_name})
+                group_id = result.inserted_id
+
+            # Assign the 'subscriber' role
+            resp = self._post({'action': 'grant',
+                               'user_email': self.user_email,
+                               'role': group_name})
+            self.assertEqual(204, resp.status_code)
+
+            # Check that the user is actually member of that group.
+            with self.app.test_request_context():
+                user = self.app.data.driver.db['users'].find_one(self.user_id)
+                test(group_id, user['groups'])
+
+        # There are special groups for those. Also for admin, but if
+        # it works for those, it also works for admin, and another test
+        # case requires admin to be ingrantable.
+        test_for_group('demo')
+        test_for_group('subscriber')
+
+        # This role isn't linked to group membership.
+        test_for_group('succubus', test=self.assertNotIn)