PyPI - qontract-reconcile - Versions diffs - 0.10.1rc1202__py3-none-any.whl → 0.10.2.dev2__py3-none-any.whl - Mend

qontract-reconcile 0.10.1rc1202py3-none-any.whl → 0.10.2.dev2py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (138) hide show

qontract_reconcile-0.10.2.dev2.dist-info/METADATA +500 -0
{qontract_reconcile-0.10.1rc1202.dist-info → qontract_reconcile-0.10.2.dev2.dist-info}/RECORD +12 -130
{qontract_reconcile-0.10.1rc1202.dist-info → qontract_reconcile-0.10.2.dev2.dist-info}/WHEEL +1 -2
{qontract_reconcile-0.10.1rc1202.dist-info → qontract_reconcile-0.10.2.dev2.dist-info}/entry_points.txt +1 -0
reconcile/aws_account_manager/README.md +5 -0
reconcile/change_owners/README.md +34 -0
reconcile/glitchtip/README.md +150 -0
reconcile/gql_definitions/introspection.json +51176 -0
reconcile/run_integration.py +293 -0
reconcile/utils/binary.py +2 -2
reconcile/utils/mr/README.md +198 -0
reconcile/utils/oc_map.py +2 -2
tools/qontract_cli.py +0 -0
qontract_reconcile-0.10.1rc1202.dist-info/METADATA +0 -64
qontract_reconcile-0.10.1rc1202.dist-info/top_level.txt +0 -3
reconcile/test/__init__.py +0 -0
reconcile/test/conftest.py +0 -157
reconcile/test/fixtures.py +0 -24
reconcile/test/saas_auto_promotions_manager/__init__.py +0 -0
reconcile/test/saas_auto_promotions_manager/conftest.py +0 -170
reconcile/test/saas_auto_promotions_manager/merge_request_manager/__init__.py +0 -0
reconcile/test/saas_auto_promotions_manager/merge_request_manager/merge_request_manager/__init__.py +0 -0
reconcile/test/saas_auto_promotions_manager/merge_request_manager/merge_request_manager/conftest.py +0 -115
reconcile/test/saas_auto_promotions_manager/merge_request_manager/merge_request_manager/data_keys.py +0 -19
reconcile/test/saas_auto_promotions_manager/merge_request_manager/merge_request_manager/test_desired_state.py +0 -66
reconcile/test/saas_auto_promotions_manager/merge_request_manager/merge_request_manager/test_merge_request_manager.py +0 -86
reconcile/test/saas_auto_promotions_manager/merge_request_manager/merge_request_manager/test_mr_parser.py +0 -352
reconcile/test/saas_auto_promotions_manager/merge_request_manager/merge_request_manager/test_reconciler.py +0 -494
reconcile/test/saas_auto_promotions_manager/merge_request_manager/renderer/__init__.py +0 -0
reconcile/test/saas_auto_promotions_manager/merge_request_manager/renderer/conftest.py +0 -25
reconcile/test/saas_auto_promotions_manager/merge_request_manager/renderer/test_content_multiple_namespaces.py +0 -37
reconcile/test/saas_auto_promotions_manager/merge_request_manager/renderer/test_content_single_namespace.py +0 -81
reconcile/test/saas_auto_promotions_manager/merge_request_manager/renderer/test_content_single_target.py +0 -61
reconcile/test/saas_auto_promotions_manager/merge_request_manager/renderer/test_json_path_selector.py +0 -74
reconcile/test/saas_auto_promotions_manager/test_integration_test.py +0 -52
reconcile/test/saas_auto_promotions_manager/utils/__init__.py +0 -0
reconcile/test/test_acs_notifiers.py +0 -393
reconcile/test/test_acs_policies.py +0 -497
reconcile/test/test_acs_rbac.py +0 -865
reconcile/test/test_aggregated_list.py +0 -237
reconcile/test/test_amtool.py +0 -37
reconcile/test/test_aws_ami_cleanup.py +0 -230
reconcile/test/test_aws_ami_share.py +0 -68
reconcile/test/test_aws_cloudwatch_log_retention.py +0 -434
reconcile/test/test_aws_iam_keys.py +0 -70
reconcile/test/test_aws_iam_password_reset.py +0 -35
reconcile/test/test_aws_support_cases_sos.py +0 -23
reconcile/test/test_checkpoint.py +0 -178
reconcile/test/test_cli.py +0 -41
reconcile/test/test_closedbox_endpoint_monitoring.py +0 -207
reconcile/test/test_dashdotdb_dora.py +0 -245
reconcile/test/test_database_access_manager.py +0 -660
reconcile/test/test_deadmanssnitch.py +0 -290
reconcile/test/test_gabi_authorized_users.py +0 -72
reconcile/test/test_gcr_mirror.py +0 -14
reconcile/test/test_github_org.py +0 -156
reconcile/test/test_github_repo_invites.py +0 -119
reconcile/test/test_gitlab_housekeeping.py +0 -333
reconcile/test/test_gitlab_labeler.py +0 -126
reconcile/test/test_gitlab_members.py +0 -219
reconcile/test/test_gitlab_permissions.py +0 -164
reconcile/test/test_instrumented_wrappers.py +0 -18
reconcile/test/test_integrations_manager.py +0 -1252
reconcile/test/test_jenkins_worker_fleets.py +0 -57
reconcile/test/test_jira_permissions_validator.py +0 -519
reconcile/test/test_jump_host.py +0 -114
reconcile/test/test_ldap_users.py +0 -125
reconcile/test/test_make.py +0 -28
reconcile/test/test_ocm_additional_routers.py +0 -133
reconcile/test/test_ocm_clusters.py +0 -798
reconcile/test/test_ocm_clusters_manifest_updates.py +0 -87
reconcile/test/test_ocm_machine_pools.py +0 -1103
reconcile/test/test_ocm_update_recommended_version.py +0 -145
reconcile/test/test_ocm_upgrade_scheduler_org_updater.py +0 -125
reconcile/test/test_openshift_base.py +0 -1269
reconcile/test/test_openshift_cluster_bots.py +0 -240
reconcile/test/test_openshift_namespace_labels.py +0 -344
reconcile/test/test_openshift_namespaces.py +0 -256
reconcile/test/test_openshift_resource.py +0 -443
reconcile/test/test_openshift_resources_base.py +0 -478
reconcile/test/test_openshift_saas_deploy.py +0 -188
reconcile/test/test_openshift_saas_deploy_change_tester.py +0 -308
reconcile/test/test_openshift_saas_deploy_trigger_cleaner.py +0 -65
reconcile/test/test_openshift_serviceaccount_tokens.py +0 -282
reconcile/test/test_openshift_tekton_resources.py +0 -265
reconcile/test/test_openshift_upgrade_watcher.py +0 -223
reconcile/test/test_prometheus_rules_tester.py +0 -151
reconcile/test/test_quay_membership.py +0 -86
reconcile/test/test_quay_mirror.py +0 -172
reconcile/test/test_quay_mirror_org.py +0 -82
reconcile/test/test_quay_repos.py +0 -59
reconcile/test/test_queries.py +0 -53
reconcile/test/test_repo_owners.py +0 -47
reconcile/test/test_requests_sender.py +0 -139
reconcile/test/test_saasherder.py +0 -1611
reconcile/test/test_saasherder_allowed_secret_paths.py +0 -125
reconcile/test/test_secret_reader.py +0 -153
reconcile/test/test_slack_base.py +0 -183
reconcile/test/test_slack_usergroups.py +0 -785
reconcile/test/test_sql_query.py +0 -316
reconcile/test/test_status_board.py +0 -258
reconcile/test/test_terraform_aws_route53.py +0 -29
reconcile/test/test_terraform_cloudflare_dns.py +0 -117
reconcile/test/test_terraform_cloudflare_resources.py +0 -408
reconcile/test/test_terraform_cloudflare_users.py +0 -747
reconcile/test/test_terraform_repo.py +0 -440
reconcile/test/test_terraform_resources.py +0 -519
reconcile/test/test_terraform_tgw_attachments.py +0 -1295
reconcile/test/test_terraform_users.py +0 -152
reconcile/test/test_terraform_vpc_peerings.py +0 -576
reconcile/test/test_terraform_vpc_peerings_build_desired_state.py +0 -1434
reconcile/test/test_three_way_diff_strategy.py +0 -131
reconcile/test/test_utils_jinja2.py +0 -130
reconcile/test/test_vault_replication.py +0 -534
reconcile/test/test_vault_utils.py +0 -47
reconcile/test/test_version_bump.py +0 -18
reconcile/test/test_vpc_peerings_validator.py +0 -194
reconcile/test/test_wrong_region.py +0 -78
release/__init__.py +0 -0
release/test_version.py +0 -50
release/version.py +0 -104
tools/cli_commands/test/__init__.py +0 -0
tools/cli_commands/test/conftest.py +0 -332
tools/cli_commands/test/test_aws_cost_report.py +0 -258
tools/cli_commands/test/test_cost_management_api.py +0 -326
tools/cli_commands/test/test_gpg_encrypt.py +0 -235
tools/cli_commands/test/test_openshift_cost_optimization_report.py +0 -255
tools/cli_commands/test/test_openshift_cost_report.py +0 -295
tools/cli_commands/test/test_util.py +0 -70
tools/test/__init__.py +0 -0
tools/test/conftest.py +0 -77
tools/test/test_app_interface_metrics_exporter.py +0 -48
tools/test/test_erv2.py +0 -80
tools/test/test_get_container_images.py +0 -230
tools/test/test_qontract_cli.py +0 -197
tools/test/test_saas_promotion_state.py +0 -187
tools/test/test_sd_app_sre_alert_report.py +0 -74
tools/test/test_sre_checkpoints.py +0 -79

reconcile/test/test_acs_rbac.py DELETED Viewed

@@ -1,865 +0,0 @@
-import copy
-from unittest.mock import Mock
-import pytest
-from pytest_mock import MockerFixture
-from reconcile.acs_rbac import (
-    AcsAccessScope,
-    AcsRbacIntegration,
-    AcsRole,
-    AssignmentPair,
-)
-from reconcile.gql_definitions.acs.acs_rbac import (
-    AcsRbacQueryData,
-    ClusterV1,
-    NamespaceV1,
-    NamespaceV1_ClusterV1,
-    OidcPermissionAcsV1,
-    RoleV1,
-    UserV1,
-)
-from reconcile.utils.acs import rbac
-AUTH_PROVIDER_ID = "6a41743c-792b-11ee-b962-0242ac120002"
-@pytest.fixture
-def query_data_desired_state() -> AcsRbacQueryData:
-    return AcsRbacQueryData(
-        acs_rbacs=[
-            UserV1(
-                org_username="foo",
-                roles=[
-                    RoleV1(
-                        name="app-sre-admin",
-                        oidc_permissions=[
-                            OidcPermissionAcsV1(
-                                name="app-sre-acs-admin",
-                                description="admin access to acs instance",
-                                service="acs",
-                                permission_set="admin",
-                                clusters=[],
-                                namespaces=[],
-                            )
-                        ],
-                    )
-                ],
-            ),
-            UserV1(
-                org_username="bar",
-                roles=[
-                    RoleV1(
-                        name="app-sre-admin",
-                        oidc_permissions=[
-                            OidcPermissionAcsV1(
-                                name="app-sre-acs-admin",
-                                description="admin access to acs instance",
-                                service="acs",
-                                permission_set="admin",
-                                clusters=[],
-                                namespaces=[],
-                            )
-                        ],
-                    )
-                ],
-            ),
-            UserV1(
-                org_username="foofoo",
-                roles=[
-                    RoleV1(
-                        name="tenant-role-a",
-                        oidc_permissions=[
-                            OidcPermissionAcsV1(
-                                name="cluster-analyst",
-                                description="analyst access to clusters in acs instance",
-                                service="acs",
-                                permission_set="analyst",
-                                clusters=[
-                                    ClusterV1(name="clusterA"),
-                                    ClusterV1(name="clusterB"),
-                                ],
-                                namespaces=[],
-                            )
-                        ],
-                    )
-                ],
-            ),
-            UserV1(
-                org_username="barbar",
-                roles=[
-                    RoleV1(
-                        name="tenant-role-a",
-                        oidc_permissions=[
-                            OidcPermissionAcsV1(
-                                name="cluster-analyst",
-                                description="analyst access to clusters in acs instance",
-                                service="acs",
-                                permission_set="analyst",
-                                clusters=[
-                                    ClusterV1(name="clusterA"),
-                                    ClusterV1(name="clusterB"),
-                                ],
-                                namespaces=[],
-                            )
-                        ],
-                    )
-                ],
-            ),
-            UserV1(
-                org_username="foobar",
-                roles=[
-                    RoleV1(
-                        name="tenant-role-b",
-                        oidc_permissions=[
-                            OidcPermissionAcsV1(
-                                name="service-vuln-admin",
-                                description="vuln-admin access to service namespaces in acs instance",
-                                service="acs",
-                                permission_set="vuln-admin",
-                                clusters=[],
-                                namespaces=[
-                                    NamespaceV1(
-                                        name="serviceA-stage",
-                                        cluster=NamespaceV1_ClusterV1(
-                                            name="stage-cluster"
-                                        ),
-                                    ),
-                                    NamespaceV1(
-                                        name="serviceA-prod",
-                                        cluster=NamespaceV1_ClusterV1(
-                                            name="prod-cluster"
-                                        ),
-                                    ),
-                                ],
-                            )
-                        ],
-                    )
-                ],
-            ),
-        ]
-    )
-@pytest.fixture
-def modeled_acs_roles() -> list[AcsRole]:
-    return [
-        AcsRole(
-            name="app-sre-acs-admin",
-            description="admin access to acs instance",
-            assignments=[
-                AssignmentPair(key="userid", value="foo"),
-                AssignmentPair(key="userid", value="bar"),
-            ],
-            permission_set_name="Admin",
-            access_scope=AcsAccessScope(
-                name="Unrestricted",
-                description="Access to all clusters and namespaces",
-                clusters=[],
-                namespaces=[],
-            ),
-            system_default=False,
-        ),
-        AcsRole(
-            name="cluster-analyst",
-            description="analyst access to clusters in acs instance",
-            assignments=[
-                AssignmentPair(key="userid", value="foofoo"),
-                AssignmentPair(key="userid", value="barbar"),
-            ],
-            permission_set_name="Analyst",
-            access_scope=AcsAccessScope(
-                name="cluster-analyst",
-                description="analyst access to clusters in acs instance",
-                clusters=["clusterA", "clusterB"],
-                namespaces=[],
-            ),
-            system_default=False,
-        ),
-        AcsRole(
-            name="service-vuln-admin",
-            description="vuln-admin access to service namespaces in acs instance",
-            assignments=[AssignmentPair(key="userid", value="foobar")],
-            permission_set_name="Vulnerability Management Admin",
-            access_scope=AcsAccessScope(
-                name="service-vuln-admin",
-                description="vuln-admin access to service namespaces in acs instance",
-                clusters=[],
-                namespaces=[
-                    {"clusterName": "stage-cluster", "namespaceName": "serviceA-stage"},
-                    {"clusterName": "prod-cluster", "namespaceName": "serviceA-prod"},
-                ],
-            ),
-            system_default=False,
-        ),
-    ]
-@pytest.fixture
-def api_response_roles() -> list[rbac.Role]:
-    return [
-        rbac.Role(
-            api_data={
-                "name": "app-sre-acs-admin",
-                "permissionSetId": "1",
-                "accessScopeId": "1",
-                "description": "admin access to acs instance",
-                "system_default": False,
-            }
-        ),
-        rbac.Role(
-            api_data={
-                "name": "cluster-analyst",
-                "permissionSetId": "2",
-                "accessScopeId": "2",
-                "description": "analyst access to clusters in acs instance",
-                "system_default": False,
-            }
-        ),
-        rbac.Role(
-            api_data={
-                "name": "service-vuln-admin",
-                "permissionSetId": "3",
-                "accessScopeId": "3",
-                "description": "vuln-admin access to service namespaces in acs instance",
-                "system_default": False,
-            }
-        ),
-    ]
-@pytest.fixture
-def api_response_groups() -> list[rbac.Group]:
-    return [
-        rbac.Group(
-            api_data={
-                "roleName": "app-sre-acs-admin",
-                "props": {
-                    "id": "1",
-                    "authProviderId": AUTH_PROVIDER_ID,
-                    "key": "userid",
-                    "value": "foo",
-                },
-            }
-        ),
-        rbac.Group(
-            api_data={
-                "roleName": "app-sre-acs-admin",
-                "props": {
-                    "id": "2",
-                    "authProviderId": AUTH_PROVIDER_ID,
-                    "key": "userid",
-                    "value": "bar",
-                },
-            }
-        ),
-        rbac.Group(
-            api_data={
-                "roleName": "cluster-analyst",
-                "props": {
-                    "id": "3",
-                    "authProviderId": AUTH_PROVIDER_ID,
-                    "key": "userid",
-                    "value": "foofoo",
-                },
-            }
-        ),
-        rbac.Group(
-            api_data={
-                "roleName": "cluster-analyst",
-                "props": {
-                    "id": "4",
-                    "authProviderId": AUTH_PROVIDER_ID,
-                    "key": "userid",
-                    "value": "barbar",
-                },
-            }
-        ),
-        rbac.Group(
-            api_data={
-                "roleName": "service-vuln-admin",
-                "props": {
-                    "id": "5",
-                    "authProviderId": AUTH_PROVIDER_ID,
-                    "key": "userid",
-                    "value": "foobar",
-                },
-            }
-        ),
-    ]
-@pytest.fixture
-def api_response_access_scopes() -> list[rbac.AccessScope]:
-    return [
-        rbac.AccessScope(
-            api_data={
-                "id": "1",
-                "name": "Unrestricted",
-                "description": "Access to all clusters and namespaces",
-                "rules": None,
-            }
-        ),
-        rbac.AccessScope(
-            api_data={
-                "id": "2",
-                "name": "cluster-analyst",
-                "description": "analyst access to clusters in acs instance",
-                "rules": {
-                    "includedClusters": ["clusterA", "clusterB"],
-                    "includedNamespaces": [],
-                },
-            }
-        ),
-        rbac.AccessScope(
-            api_data={
-                "id": "3",
-                "name": "service-vuln-admin",
-                "description": "vuln-admin access to service namespaces in acs instance",
-                "rules": {
-                    "includedClusters": [],
-                    "includedNamespaces": [
-                        {
-                            "clusterName": "stage-cluster",
-                            "namespaceName": "serviceA-stage",
-                        },
-                        {
-                            "clusterName": "prod-cluster",
-                            "namespaceName": "serviceA-prod",
-                        },
-                    ],
-                },
-            }
-        ),
-    ]
-@pytest.fixture
-def api_response_permission_sets() -> list[rbac.PermissionSet]:
-    return [
-        rbac.PermissionSet(
-            api_data={
-                "id": "1",
-                "name": "Admin",
-            }
-        ),
-        rbac.PermissionSet(
-            api_data={
-                "id": "2",
-                "name": "Analyst",
-            }
-        ),
-        rbac.PermissionSet(
-            api_data={
-                "id": "3",
-                "name": "Vulnerability Management Admin",
-            }
-        ),
-    ]
-def test_get_desired_state(
-    mocker: MockerFixture,
-    query_data_desired_state: AcsRbacQueryData,
-    modeled_acs_roles: list[AcsRole],
-):
-    query_func = mocker.patch("reconcile.acs_rbac.acs_rbac_query", autospec=True)
-    query_func.return_value = query_data_desired_state
-    integration = AcsRbacIntegration()
-    result = integration.get_desired_state(query_func)
-    assert result == modeled_acs_roles
-def test_get_current_state(
-    modeled_acs_roles: list[AcsRole],
-    api_response_roles: list[rbac.Role],
-    api_response_groups: list[rbac.Group],
-    api_response_access_scopes: list[rbac.AccessScope],
-    api_response_permission_sets: list[rbac.PermissionSet],
-):
-    integration = AcsRbacIntegration()
-    result = integration.get_current_state(
-        AUTH_PROVIDER_ID,
-        rbac.RbacResources(
-            roles=api_response_roles,
-            access_scopes=api_response_access_scopes,
-            groups=api_response_groups,
-            permission_sets=api_response_permission_sets,
-        ),
-    )
-    assert result == modeled_acs_roles
-def test_add_rbac_dry_run(
-    mocker: MockerFixture,
-    modeled_acs_roles: list[AcsRole],
-    api_response_access_scopes: list[rbac.AccessScope],
-    api_response_permission_sets: list[rbac.PermissionSet],
-):
-    dry_run = True
-    desired = modeled_acs_roles
-    current = modeled_acs_roles[:-1]
-    current_access_scopes = api_response_access_scopes[:-1]
-    acs_mock = Mock()
-    rbac_api_resources = rbac.RbacResources(
-        roles=[],
-        access_scopes=current_access_scopes,
-        groups=[],
-        permission_sets=api_response_permission_sets,
-    )
-    mocker.patch.object(
-        acs_mock, "create_access_scope", side_effect=[api_response_access_scopes[2].id]
-    )
-    mocker.patch.object(acs_mock, "create_role")
-    mocker.patch.object(acs_mock, "create_group_batch")
-    integration = AcsRbacIntegration()
-    integration.reconcile(
-        desired=desired,
-        current=current,
-        rbac_api_resources=rbac_api_resources,
-        acs=acs_mock,
-        auth_provider_id=AUTH_PROVIDER_ID,
-        dry_run=dry_run,
-    )
-    acs_mock.create_access_scope.assert_not_called()
-    acs_mock.create_role.assert_not_called()
-    acs_mock.create_group_batch.assert_not_called()
-def test_add_rbac(
-    mocker: MockerFixture,
-    modeled_acs_roles: list[AcsRole],
-    api_response_access_scopes: list[rbac.AccessScope],
-    api_response_permission_sets: list[rbac.PermissionSet],
-):
-    dry_run = False
-    desired = modeled_acs_roles
-    current = modeled_acs_roles[:-1]
-    current_access_scopes = api_response_access_scopes[:-1]
-    acs_mock = Mock()
-    rbac_api_resources = rbac.RbacResources(
-        roles=[],
-        access_scopes=current_access_scopes,
-        groups=[],
-        permission_sets=api_response_permission_sets,
-    )
-    mocker.patch.object(
-        acs_mock, "create_access_scope", side_effect=[api_response_access_scopes[2].id]
-    )
-    mocker.patch.object(acs_mock, "create_role")
-    mocker.patch.object(acs_mock, "create_group_batch")
-    integration = AcsRbacIntegration()
-    integration.reconcile(
-        desired=desired,
-        current=current,
-        rbac_api_resources=rbac_api_resources,
-        acs=acs_mock,
-        auth_provider_id=AUTH_PROVIDER_ID,
-        dry_run=dry_run,
-    )
-    acs_mock.create_access_scope.assert_has_calls([
-        mocker.call(
-            desired[2].access_scope.name,
-            desired[2].access_scope.description,
-            desired[2].access_scope.clusters,
-            desired[2].access_scope.namespaces,
-        ),
-    ])
-    acs_mock.create_role.assert_has_calls([
-        mocker.call(
-            desired[2].name,
-            desired[2].description,
-            api_response_permission_sets[2].id,
-            api_response_access_scopes[2].id,
-        ),
-    ])
-    acs_mock.create_group_batch.assert_has_calls([
-        mocker.call([
-            rbac.AcsRbacApi.GroupAdd(
-                role_name=desired[2].name,
-                key=a.key,
-                value=a.value,
-                auth_provider_id=AUTH_PROVIDER_ID,
-            )
-            for a in desired[2].assignments
-        ])
-    ])
-def test_delete_rbac_dry_run(
-    mocker: MockerFixture,
-    modeled_acs_roles: list[AcsRole],
-    api_response_access_scopes: list[rbac.AccessScope],
-    api_response_groups: list[rbac.Group],
-):
-    dry_run = True
-    current = modeled_acs_roles
-    desired = modeled_acs_roles[:-1]  # remove 'cluster-analyst' role
-    acs_mock = Mock()
-    rbac_api_resources = rbac.RbacResources(
-        roles=[],
-        access_scopes=api_response_access_scopes,
-        groups=api_response_groups,
-        permission_sets=[],
-    )
-    mocker.patch.object(acs_mock, "delete_role")
-    mocker.patch.object(acs_mock, "delete_group_batch")
-    mocker.patch.object(acs_mock, "delete_access_scope")
-    integration = AcsRbacIntegration()
-    integration.reconcile(
-        desired=desired,
-        current=current,
-        rbac_api_resources=rbac_api_resources,
-        acs=acs_mock,
-        auth_provider_id=AUTH_PROVIDER_ID,
-        dry_run=dry_run,
-    )
-    acs_mock.delete_role.assert_not_called()
-    acs_mock.delete_group_batch.assert_not_called()
-    acs_mock.delete_access_scope.assert_not_called()
-def test_delete_rbac(
-    mocker: MockerFixture,
-    modeled_acs_roles: list[AcsRole],
-    api_response_access_scopes: list[rbac.AccessScope],
-    api_response_groups: list[rbac.Group],
-):
-    dry_run = False
-    current = modeled_acs_roles
-    desired = (
-        modeled_acs_roles[:1] + modeled_acs_roles[2:]
-    )  # remove 'cluster-analyst' role
-    acs_mock = Mock()
-    rbac_api_resources = rbac.RbacResources(
-        roles=[],
-        access_scopes=api_response_access_scopes,
-        groups=api_response_groups,
-        permission_sets=[],
-    )
-    mocker.patch.object(acs_mock, "delete_role")
-    mocker.patch.object(acs_mock, "delete_group_batch")
-    mocker.patch.object(acs_mock, "delete_access_scope")
-    integration = AcsRbacIntegration()
-    integration.reconcile(
-        desired=desired,
-        current=current,
-        rbac_api_resources=rbac_api_resources,
-        acs=acs_mock,
-        auth_provider_id=AUTH_PROVIDER_ID,
-        dry_run=dry_run,
-    )
-    acs_mock.delete_role.assert_has_calls([mocker.call(current[1].name)])
-    acs_mock.delete_group_batch.assert_has_calls([
-        mocker.call([api_response_groups[2], api_response_groups[3]])
-    ])
-    acs_mock.delete_access_scope.assert_has_calls([
-        mocker.call(api_response_access_scopes[1].id)
-    ])
-def test_update_rbac_groups_only(
-    mocker: MockerFixture,
-    modeled_acs_roles: list[AcsRole],
-    api_response_access_scopes: list[rbac.AccessScope],
-    api_response_permission_sets: list[rbac.PermissionSet],
-    api_response_groups: list[rbac.Group],
-):
-    dry_run = False
-    desired = modeled_acs_roles
-    current = copy.deepcopy(modeled_acs_roles)
-    # change a user assignment in 'app-sre-acs-admin' role
-    current[0].assignments[0].value = "lasagna"
-    current_groups = copy.deepcopy(api_response_groups)
-    current_groups[0].value = "lasagna"
-    acs_mock = Mock()
-    rbac_api_resources = rbac.RbacResources(
-        roles=[],
-        access_scopes=api_response_access_scopes,
-        groups=current_groups,
-        permission_sets=api_response_permission_sets,
-    )
-    mocker.patch.object(acs_mock, "update_group_batch")
-    mocker.patch.object(acs_mock, "update_access_scope")
-    mocker.patch.object(acs_mock, "update_role")
-    integration = AcsRbacIntegration()
-    integration.reconcile(
-        desired=desired,
-        current=current,
-        rbac_api_resources=rbac_api_resources,
-        acs=acs_mock,
-        auth_provider_id=AUTH_PROVIDER_ID,
-        dry_run=dry_run,
-    )
-    acs_mock.update_group_batch.assert_has_calls([
-        mocker.call(
-            [current_groups[0]],
-            [
-                rbac.AcsRbacApi.GroupAdd(
-                    role_name=desired[0].name,
-                    key=desired[0].assignments[0].key,
-                    value=desired[0].assignments[0].value,
-                    auth_provider_id=AUTH_PROVIDER_ID,
-                )
-            ],
-        )
-    ])
-    acs_mock.update_access_scope.assert_not_called()
-    acs_mock.update_role.assert_not_called()
-def test_full_reconcile(
-    mocker: MockerFixture,
-    modeled_acs_roles: list[AcsRole],
-    api_response_access_scopes: list[rbac.AccessScope],
-    api_response_permission_sets: list[rbac.PermissionSet],
-    api_response_groups: list[rbac.Group],
-):
-    dry_run = False
-    # trigger creation of new role and deletion of existing 'service-vuln-admin' role
-    desired = modeled_acs_roles[:-1] + [
-        AcsRole(
-            name="new-role",
-            description="add me",
-            assignments=[
-                AssignmentPair(key="userid", value="elsa"),
-                AssignmentPair(key="userid", value="anna"),
-            ],
-            permission_set_name="Admin",
-            access_scope=AcsAccessScope(
-                name="Unrestricted",
-                description="Access to all clusters and namespaces",
-                clusters=[],
-                namespaces=[],
-            ),
-            system_default=False,
-        )
-    ]
-    current = copy.deepcopy(modeled_acs_roles)
-    # change permission set to trigger update to existing 'cluster-analyst' role
-    current[1].permission_set_name = "Vulnerability Management Admin"
-    # remove a cluster from scope to trigger update to access scope of 'cluster-analyst'
-    current[1].access_scope.clusters.pop()
-    current_access_scopes = copy.deepcopy(api_response_access_scopes)
-    current_access_scopes[1].clusters.pop()
-    acs_mock = Mock()
-    rbac_api_resources = rbac.RbacResources(
-        roles=[],
-        access_scopes=current_access_scopes,
-        groups=api_response_groups,
-        permission_sets=api_response_permission_sets,
-    )
-    mocker.patch.object(acs_mock, "create_access_scope")
-    mocker.patch.object(acs_mock, "create_role")
-    mocker.patch.object(acs_mock, "create_group_batch")
-    mocker.patch.object(acs_mock, "delete_role")
-    mocker.patch.object(acs_mock, "delete_group_batch")
-    mocker.patch.object(acs_mock, "delete_access_scope")
-    mocker.patch.object(acs_mock, "update_group_batch")
-    mocker.patch.object(acs_mock, "update_access_scope")
-    mocker.patch.object(acs_mock, "update_role")
-    integration = AcsRbacIntegration()
-    integration.reconcile(
-        desired=desired,
-        current=current,
-        rbac_api_resources=rbac_api_resources,
-        acs=acs_mock,
-        auth_provider_id=AUTH_PROVIDER_ID,
-        dry_run=dry_run,
-    )
-    acs_mock.create_role.assert_has_calls([
-        mocker.call(
-            desired[2].name,
-            desired[2].description,
-            api_response_permission_sets[0].id,
-            api_response_access_scopes[0].id,
-        ),
-    ])
-    acs_mock.create_group_batch.assert_has_calls([
-        mocker.call([
-            rbac.AcsRbacApi.GroupAdd(
-                role_name=desired[2].name,
-                key=a.key,
-                value=a.value,
-                auth_provider_id=AUTH_PROVIDER_ID,
-            )
-            for a in desired[2].assignments
-        ])
-    ])
-    acs_mock.delete_role.assert_has_calls([mocker.call(current[2].name)])
-    acs_mock.delete_group_batch.assert_has_calls([
-        mocker.call([api_response_groups[4]])
-    ])
-    acs_mock.delete_access_scope.assert_has_calls([
-        mocker.call(api_response_access_scopes[2].id)
-    ])
-    acs_mock.update_role.assert_has_calls([
-        mocker.call(
-            desired[1].name,
-            desired[1].description,
-            # use originals
-            api_response_permission_sets[1].id,
-            api_response_access_scopes[1].id,
-        )
-    ])
-    acs_mock.update_access_scope.assert_has_calls([
-        mocker.call(
-            api_response_access_scopes[1].id,
-            desired[1].access_scope.name,
-            desired[1].access_scope.description,
-            desired[1].access_scope.clusters,
-            desired[1].access_scope.namespaces,
-        )
-    ])
-    # new desired role is admin scope. Should use existing 'Unrestricted' system default
-    acs_mock.create_access_scope.assert_not_called()
-    acs_mock.update_group_batch.assert_not_called()
-def test_full_reconcile_with_errors(
-    mocker: MockerFixture,
-    modeled_acs_roles: list[AcsRole],
-    api_response_access_scopes: list[rbac.AccessScope],
-    api_response_permission_sets: list[rbac.PermissionSet],
-    api_response_groups: list[rbac.Group],
-):
-    dry_run = False
-    desired = modeled_acs_roles[:-1] + [
-        AcsRole(
-            name="new-role",
-            description="add me",
-            assignments=[
-                AssignmentPair(key="userid", value="elsa"),
-                AssignmentPair(key="userid", value="anna"),
-            ],
-            permission_set_name="Admin",
-            access_scope=AcsAccessScope(
-                name="Unrestricted",
-                description="Access to all clusters and namespaces",
-                clusters=[],
-                namespaces=[],
-            ),
-            system_default=False,
-        )
-    ]
-    current = copy.deepcopy(modeled_acs_roles)
-    # change permission set to trigger update to existing 'cluster-analyst' role
-    current[1].permission_set_name = "Vulnerability Management Admin"
-    # remove a cluster from scope to trigger update to access scope of 'cluster-analyst'
-    current[1].access_scope.clusters.pop()
-    current_access_scopes = copy.deepcopy(api_response_access_scopes)
-    current_access_scopes[1].clusters.pop()
-    acs_mock = Mock()
-    rbac_api_resources = rbac.RbacResources(
-        roles=[],
-        access_scopes=current_access_scopes,
-        groups=api_response_groups,
-        permission_sets=api_response_permission_sets,
-    )
-    mocker.patch.object(acs_mock, "create_access_scope")
-    mocker.patch.object(
-        acs_mock, "create_role", side_effect=Exception("Simulated error")
-    )
-    mocker.patch.object(acs_mock, "create_group_batch")
-    mocker.patch.object(
-        acs_mock, "delete_group_batch", side_effect=Exception("Simulated error")
-    )
-    mocker.patch.object(acs_mock, "delete_role")
-    mocker.patch.object(acs_mock, "delete_access_scope")
-    mocker.patch.object(acs_mock, "update_group_batch")
-    mocker.patch.object(acs_mock, "update_access_scope")
-    mocker.patch.object(acs_mock, "update_role")
-    integration = AcsRbacIntegration()
-    with pytest.raises(ExceptionGroup) as exc_info:
-        integration.reconcile(
-            desired=desired,
-            current=current,
-            rbac_api_resources=rbac_api_resources,
-            acs=acs_mock,
-            auth_provider_id=AUTH_PROVIDER_ID,
-            dry_run=dry_run,
-        )
-    # call to 'create_role' failed. remaining create logic should be skipped
-    acs_mock.create_role.assert_has_calls([
-        mocker.call(
-            desired[2].name,
-            desired[2].description,
-            api_response_permission_sets[0].id,
-            api_response_access_scopes[0].id,
-        ),
-    ])
-    acs_mock.create_group_batch.assert_not_called()
-    acs_mock.delete_group_batch.assert_has_calls([
-        mocker.call([api_response_groups[4]])
-    ])
-    # call to 'delete_group_batch' failed. remaining delete logic should be skipped
-    acs_mock.delete_role.assert_not_called()
-    acs_mock.delete_access_scope.assert_not_called()
-    acs_mock.update_role.assert_has_calls([
-        mocker.call(
-            desired[1].name,
-            desired[1].description,
-            # use originals
-            api_response_permission_sets[1].id,
-            api_response_access_scopes[1].id,
-        )
-    ])
-    acs_mock.update_access_scope.assert_has_calls([
-        mocker.call(
-            api_response_access_scopes[1].id,
-            desired[1].access_scope.name,
-            desired[1].access_scope.description,
-            desired[1].access_scope.clusters,
-            desired[1].access_scope.namespaces,
-        )
-    ])
-    # new desired role is admin scope. Should use existing 'Unrestricted' system default
-    acs_mock.create_access_scope.assert_not_called()
-    acs_mock.update_group_batch.assert_not_called()
-    assert "Reconcile errors occurred" in str(exc_info.value)

qontract-reconcile 0.10.1rc1202__py3-none-any.whl → 0.10.2.dev2__py3-none-any.whl

qontract-reconcile 0.10.1rc1202py3-none-any.whl → 0.10.2.dev2py3-none-any.whl