File: test_roles.py

package info (click to toggle)
python-azure 20250603%2Bgit-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 851,724 kB
  • sloc: python: 7,362,925; ansic: 804; javascript: 287; makefile: 195; sh: 145; xml: 109
file content (106 lines) | stat: -rw-r--r-- 4,487 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
 
from uuid import uuid4

import pytest
from unittest.mock import ANY

from azure.projects.resources._extension import add_extensions
from azure.projects.resources._extension.roles import BUILT_IN_ROLES, RoleAssignment
from azure.projects.resources.storage import StorageAccount
from azure.projects.resources.resourcegroup import ResourceGroup
from azure.projects.resources.managedidentity import UserAssignedIdentity
from azure.projects._parameters import GLOBAL_PARAMS
from azure.projects._resource import FieldType
from azure.projects._bicep.expressions import ResourceSymbol, Output, Guid, Variable, RoleDefinition
from azure.projects import Parameter, export

TEST_SUB = str(uuid4())
RG = ResourceSymbol("resourcegroup")
IDENTITY = Output(None, "properties.principalId", ResourceSymbol("userassignedidentity"))
CONTRIB_GUID = Guid(
    "MicrosoftStoragestorageAccounts",
    GLOBAL_PARAMS["environmentName"],
    "foo",
    "ServicePrincipal",
    "Storage Blob Data Contributor",
)
OWNER_GUID = Guid(
    "MicrosoftStoragestorageAccounts",
    GLOBAL_PARAMS["environmentName"],
    "foo",
    "ServicePrincipal",
    "Storage Blob Data Owner",
)


def test_roles_properties():
    r = StorageAccount(
        name="foo", roles=["Storage Blob Data Contributor"], user_roles=["Storage Blob Data Contributor"]
    )
    assert r.properties == {"name": "foo", "properties": {}}
    assert r.extensions == {
        "managed_identity_roles": ["Storage Blob Data Contributor"],
        "user_roles": ["Storage Blob Data Contributor"],
    }
    fields = {}
    parameters = dict(GLOBAL_PARAMS)
    # TODO: Test with and without managed identity
    UserAssignedIdentity().__bicep__(fields, parameters=parameters)
    symbols = r.__bicep__(fields, parameters=parameters)

    r = StorageAccount(name="foo", roles=["Storage Blob Data Owner"], user_roles=["Owner"])
    assert r.properties == {"name": "foo", "properties": {}}
    assert r.extensions == {"managed_identity_roles": ["Storage Blob Data Owner"], "user_roles": ["Owner"]}
    symbols = r.__bicep__(fields, parameters=parameters)
    add_extensions(fields, parameters)
    assert len(fields[f"storageaccount_foo"].extensions["managed_identity_roles"]) == 2
    assert len(fields[f"storageaccount_foo"].extensions["user_roles"]) == 2
    role_symbol = fields[f"storageaccount_foo"].extensions["managed_identity_roles"][0]
    assert fields[f"{role_symbol.value}"].resource == "Microsoft.Authorization/roleAssignments"
    assert fields[f"{role_symbol.value}"].properties == {
        "name": CONTRIB_GUID,
        "scope": symbols[0],
        "properties": {
            "principalId": IDENTITY,
            "principalType": "ServicePrincipal",
            "roleDefinitionId": RoleDefinition("ba92f5b4-2d11-453d-a403-e96b0029c9fe"),
        },
    }
    assert fields[f"{role_symbol.value}"].symbol == role_symbol
    assert fields[f"{role_symbol.value}"].resource_group == None


def test_roles_defaults():
    base = RoleAssignment({})
    r = StorageAccount(
        name="foo", roles=["Storage Blob Data Contributor"], user_roles=["Storage Blob Data Contributor"]
    )
    assert r.properties == {"name": "foo", "properties": {}}
    assert r.extensions == {
        "managed_identity_roles": ["Storage Blob Data Contributor"],
        "user_roles": ["Storage Blob Data Contributor"],
    }
    fields = {}
    parameters = dict(GLOBAL_PARAMS)
    UserAssignedIdentity().__bicep__(fields, parameters=parameters)
    symbols = r.__bicep__(fields, parameters=parameters)
    add_extensions(fields, parameters)
    role_symbol = fields[f"storageaccount_foo"].extensions["managed_identity_roles"][0]
    assert fields[f"{role_symbol.value}"].properties == {
        "name": CONTRIB_GUID,
        "scope": symbols[0],
        "properties": {
            "principalId": IDENTITY,
            "principalType": "ServicePrincipal",
            "roleDefinitionId": BUILT_IN_ROLES["Storage Blob Data Contributor"],
        },
    }


@pytest.mark.skip("TODO: Parameterization of roles doesn't work yet")
def test_roles_export_with_parameters(export_dir):
    user_role = Parameter("userRole", default={})
    roles = Parameter("allRoles", default=[])
    r = StorageAccount(name="foo", roles=roles, user_roles=[user_role])
    assert r.properties == {"name": "foo", "properties": {}}
    assert r.extensions == {"managed_identity_roles": roles, "user_roles": [user_role]}
    export(r, output_dir=export_dir[0], infra_dir=export_dir[2])