-
Sub-task
-
Resolution: Done
-
Normal
-
None
-
Quality / Stability / Reliability
-
2
-
False
-
-
False
-
None
-
Unset
-
-
-
A&M Tech Debt Sprint Q1 2025, Access & Management Sprint 106, Access & Management Sprint 107, Access & Management Sprint 108, Access & Management Sprint 109, Access & Management Sprint 110, Access & Management Sprint 111, A&M Tech Debt Sprint Q2 2025, Access & Management Sprint 112
File
rbac/management/group/view.py
Tests
Unauthorized user is identified as such
Description
In order to add or remove service accounts from a group, the user must be one of the following:
- An organization administrator.
- The owner of the service account.
- Have the "User Access administrator" permission.
The goal of the test is to make sure the function raises an exception when the user isn't any of the above.
Preconditions
- Create a new user object with the admin property set to false.
- Set the user object's username to "something-else".
- Create a service account dict with the "owner" property set to "not-owner".
Desired output
When calling GroupViewSet#user_has_permission_act_on_service_account, expect catching a InsufficientPrivilegesError exception.
Organization admin is able to act on a service account
Description
In order to add or remove service accounts from a group, the user must be one of the following:
- An organization administrator.
- The owner of the service account.
- Have the "User Access administrator" permission.
The goal of the test is to make sure that when the user is an organization administrator, the function under test doesn't raise an exception.
Preconditions
- Create a new user object with the admin property set to true.
- Set the user object's username to "something-else".
- Create a service account dict with the "owner" property set to "not-owner".
Desired output
When calling GroupViewSet#user_has_permission_act_on_service_account, expect no exceptions to be thrown.
The owner of the service account is allowed to act on it
Description
In order to add or remove service accounts from a group, the user must be one of the following:
- An organization administrator.
- The owner of the service account.
- Have the "User Access administrator" permission.
The goal of the test is to make sure that when the user is the owner of the service account, the function doesn't raise an exception.
Preconditions
- Create a new user object with the admin property set to false.
- Set the user object's username to "sa-owner".
- Create a service account dict with the "owner" property set to "sa-owner".
Desired output
When calling GroupViewSet#user_has_permission_act_on_service_account, expect no exceptions to be thrown.
A user with a "User Access administrator" role is able to act on a service account
Description
In order to add or remove service accounts from a group, the user must be one of the following:
- An organization administrator.
- The owner of the service account.
- Have the "User Access administrator" permission.
The goal of the test is to make sure that when the user has the "User Access administrator" permission, the function doesn't raise any exception.
Preconditions
- Make sure you follow the following steps with the same tenant.
- Create a new role in the management_role table with the User Access administrator name if that's not seeded already.
- Create a service account principal in the management_principals table.
- Create an RBAC group in the management_group table.
- Relate the service account with the RBAC group in the managenet_group_principals table.
- Create a new policy in the management_policy table for the created group
- Relate the policy with the User Access administrator role in the management_policy_roles table.
- Create a new user object with the admin property set to false.
- Set the user object's username to "something-else".
- Create a service account dict with the "owner" property set to "not-owner".
Desired output
When calling GroupViewSet#user_has_permission_act_on_service_account, expect no exceptions to be thrown.
Adding a service account to a group.
Description
The goal of this test is to verify that the service account gets correctly added to the RBAC group.
Preconditions
- IT_BYPASS_IT_CALLS environment variable set to true.
- IT_BYPASS_PERMISSIONS_MODIFY_SERVICE_ACCOUNTS environment variable set to true.
- IT_BYPASS_TOKEN_VALIDATION environment variable set to true.
- Create an RBAC group.
Request
POST /groups/{uuid}/principals/ with the following body:
{
"principals": [
{
"clientID": "3554b4d0-83b4-11ee-bffd-8fea9832a03f",
"type": "service-account"
}
]
}
Expected output
- A 200 status response.
- Make sure that the service account you added is present in the response body.
{
"uuid": "d70d0ca7-ee83-4f0e-b792-cb2bc46ef70d",
"name": "rbac-group-a",
"description": "A group for development purposes",
"platform_default": false,
"admin_default": false,
"created": "2023-11-06T15:39:16.785241Z",
"modified": "2023-11-06T15:39:16.802748Z",
"roles": [],
"roleCount": 0,
"system": false,
"principals": [
{
"username": "bar",
"first_name": "foo",
"last_name": "bar",
"email": "baz",
"user_id": "bar",
"type": "service-account"
},
]
}
Removing a non-existent service account from a group should end in an error.
Description
The goal of this test is to verify that when the user specified an invalid service account, RBAC returns an error.
Preconditions
- IT_BYPASS_IT_CALLS environment variable set to true.
- IT_BYPASS_PERMISSIONS_MODIFY_SERVICE_ACCOUNTS environment variable set to true.
- IT_BYPASS_TOKEN_VALIDATION environment variable set to true.
- Create an RBAC group.
Request
DELETE /groups/{uuid}/principals/?service-accounts=non-existent-account
Expected output
- A response with a 404 status code with the following body:
{
"errors": [
{
"detail": "Service account(s) {'non-existent-account'} not found in the group 'rbac-group-a'",
"status": 404,
"source": "groups"
}
]
}
Removing a service account from a group.
Description
The goal of this test is to verify that the service account gets correctly removed to the RBAC group.
Preconditions
- IT_BYPASS_IT_CALLS environment variable set to true.
- IT_BYPASS_PERMISSIONS_MODIFY_SERVICE_ACCOUNTS environment variable set to true.
- IT_BYPASS_TOKEN_VALIDATION environment variable set to true.
- Create a service account principal.
- Create a group.
- Assign the principal to the group.
Request
DELETE /groups/{uuid}/principals/?service-accounts=foo
Expected output
A 204 response.
Fetch no service accounts from group.
Description
If the group doesn't contain any service accounts, then an empty response should be returned.
Preconditions
- IT_BYPASS_IT_CALLS environment variable set to true.
- IT_BYPASS_PERMISSIONS_MODIFY_SERVICE_ACCOUNTS environment variable set to true.
- IT_BYPASS_TOKEN_VALIDATION environment variable set to true.
- Create an RBAC group.
Request
GET /groups/{uuid}/principals/?type=service-accounts
Expected output
Maybe just confirm that:
- The count is 0.
- The data array is empty.
- A response with a 200 status code with the following body:
{
"meta": {
"count": 0,
"limit": 10,
"offset": 0
},
"links": {
"first": "/api/rbac/v1/groups/d70d0ca7-ee83-4f0e-b792-cb2bc46ef70d/principals/?limit=10&offset=0&principal_type=service-account",
"next": null,
"previous": null,
"last": "/api/rbac/v1/groups/d70d0ca7-ee83-4f0e-b792-cb2bc46ef70d/principals/?limit=10&offset=0&principal_type=service-account"
},
"data": []
}
Fetch service accounts from group.
Description
When the group has associated service accounts, RBAC should return them.
Preconditions
- IT_BYPASS_IT_CALLS environment variable set to true.
- IT_BYPASS_PERMISSIONS_MODIFY_SERVICE_ACCOUNTS environment variable set to true.
- IT_BYPASS_TOKEN_VALIDATION environment variable set to true.
- Create a group.
- Create a foo and bar service accounts principals in the database.
Request
GET /groups/{uuid}/principals/?principal_type=service-account
Expected output
Maybe just confirm that:
- The count is 2.
- The service accounts contain the client IDs you've specified for the service account principals.
- The type of the service accounts is service-account.
- The username of the service accounts match the username you've set for the service account principals.
- A response with a 200 status code with the following body:
{
"meta": {
"count": 2,
"limit": 10,
"offset": 0
},
"links": {
"first": "/api/rbac/v1/groups/d70d0ca7-ee83-4f0e-b792-cb2bc46ef70d/principals/?limit=10&offset=0&principal_type=service-account",
"next": null,
"previous": null,
"last": "/api/rbac/v1/groups/d70d0ca7-ee83-4f0e-b792-cb2bc46ef70d/principals/?limit=10&offset=0&principal_type=service-account"
},
"data": [
{
"clientID": "8af69804-83b4-11ee-959d-5fbf2a8f8f06",
"name": "8af69804-83b4-11ee-959d-5fbf2a8f8f06-name",
"description": "8af69804-83b4-11ee-959d-5fbf2a8f8f06-description",
"owner": "bar",
"time_created": 1700070654,
"type": "service-account",
"username": "bar"
},
{
"clientID": "3554b4d0-83b4-11ee-bffd-8fea9832a03f",
"name": "3554b4d0-83b4-11ee-bffd-8fea9832a03f-name",
"description": "3554b4d0-83b4-11ee-bffd-8fea9832a03f-description",
"owner": "foo",
"time_created": 1700070654,
"type": "service-account",
"username": "foo"
}
]
}
Fetch service accounts usernames from group
Description
When the username_only query parameter has the true value, then only the group's service account's usernames should be returned.
Preconditions
- IT_BYPASS_IT_CALLS environment variable set to true.
- IT_BYPASS_PERMISSIONS_MODIFY_SERVICE_ACCOUNTS environment variable set to true.
- IT_BYPASS_TOKEN_VALIDATION environment variable set to true.
- Create a group.
- Create a foo and bar service accounts principals in the database.
Request
GET /groups/{uuid}/principals/?principal_type=service-account&username_only=true
Expected output
Just confirm that:
- The count is 2.
- Only the username key is present for each element in the returned data array.
- The username of the service accounts match the username you've set for the service account principals.
- A response with a 200 status code with the following body:
{
"meta": {
"count": 2,
"limit": 10,
"offset": 0
},
"links": {
"first": "/api/rbac/v1/groups/d70d0ca7-ee83-4f0e-b792-cb2bc46ef70d/principals/?limit=10&offset=0&principal_type=service-account&username_only=true",
"next": null,
"previous": null,
"last": "/api/rbac/v1/groups/d70d0ca7-ee83-4f0e-b792-cb2bc46ef70d/principals/?limit=10&offset=0&principal_type=service-account&username_only=true"
},
"data": [
{
"username": "bar"
},
{
"username": "foo"
}
]
}
Fetch service accounts that match a certain username
Description
When the principal_username query parameter has any value, then RBAC will filter the collection's usernames by the given text and only return the matching service accounts.
Preconditions
- IT_BYPASS_IT_CALLS environment variable set to true.
- IT_BYPASS_PERMISSIONS_MODIFY_SERVICE_ACCOUNTS environment variable set to true.
- IT_BYPASS_TOKEN_VALIDATION environment variable set to true.
- Create a group.
- Create a foo and bar service accounts principals in the database.
Request
GET /groups/{uuid}/principals/?principal_type=service-account&principal_username=b
Expected output
Just confirm that:
- The count is 1.
- The service account contain the client ID you've specified for the service account principal.
- The type of the service account is service-account.
- The username of the service account match the username you've set for the service account principal.
- A response with a 200 status code with the following body:
{
"meta": {
"count": 1,
"limit": 10,
"offset": 0
},
"links": {
"first": "/api/rbac/v1/groups/d70d0ca7-ee83-4f0e-b792-cb2bc46ef70d/principals/?limit=10&offset=0&principal_type=service-account&principal_username=b",
"next": null,
"previous": null,
"last": "/api/rbac/v1/groups/d70d0ca7-ee83-4f0e-b792-cb2bc46ef70d/principals/?limit=10&offset=0&principal_type=service-account&principal_username=b"
},
"data": [
{
"clientID": "8af69804-83b4-11ee-959d-5fbf2a8f8f06",
"name": "8af69804-83b4-11ee-959d-5fbf2a8f8f06-name",
"description": "8af69804-83b4-11ee-959d-5fbf2a8f8f06-description",
"owner": "bar",
"time_created": 1700071262,
"type": "service-account",
"username": "bar"
}
]
}
Fetch service accounts in ascending order
Description
When the order_by query parameter has the username value, then RBAC should return the group's service accounts ordered by their usernames in ascending order.
Preconditions
- IT_BYPASS_IT_CALLS environment variable set to true.
- IT_BYPASS_PERMISSIONS_MODIFY_SERVICE_ACCOUNTS environment variable set to true.
- IT_BYPASS_TOKEN_VALIDATION environment variable set to true.
- Create a group.
- Create a foo and bar service accounts principals in the database.
Request
GET /groups/{uuid}/principals/?principal_type=service-account&order_by=username
Expected output
Just confirm that:
- The count is 2.
- The service accounts contain the client IDs you've specified for the service account principals.
- The type of the service accounts is service-account.
- The username of the service accounts match the username you've set for the service account principals.
- A response with a 200 status code with the following body:
{
"meta": {
"count": 2,
"limit": 10,
"offset": 0
},
"links": {
"first": "/api/rbac/v1/groups/d70d0ca7-ee83-4f0e-b792-cb2bc46ef70d/principals/?limit=10&offset=0&order_by=username&principal_type=service-account",
"next": null,
"previous": null,
"last": "/api/rbac/v1/groups/d70d0ca7-ee83-4f0e-b792-cb2bc46ef70d/principals/?limit=10&offset=0&order_by=username&principal_type=service-account"
},
"data": [
{
"clientID": "8af69804-83b4-11ee-959d-5fbf2a8f8f06",
"name": "8af69804-83b4-11ee-959d-5fbf2a8f8f06-name",
"description": "8af69804-83b4-11ee-959d-5fbf2a8f8f06-description",
"owner": "bar",
"time_created": 1700071380,
"type": "service-account",
"username": "bar"
},
{
"clientID": "3554b4d0-83b4-11ee-bffd-8fea9832a03f",
"name": "3554b4d0-83b4-11ee-bffd-8fea9832a03f-name",
"description": "3554b4d0-83b4-11ee-bffd-8fea9832a03f-description",
"owner": "foo",
"time_created": 1700071380,
"type": "service-account",
"username": "foo"
}
]
}
Fetch service groups from a group that match a certain description
Description
When the service_account_description query parameter is provided, RBAC should filter a group's service accounts by their description.
Preconditions
- IT_BYPASS_IT_CALLS environment variable set to true.
- IT_BYPASS_PERMISSIONS_MODIFY_SERVICE_ACCOUNTS environment variable set to true.
- IT_BYPASS_TOKEN_VALIDATION environment variable set to true.
- Create a group.
- Create a foo and bar service accounts principals in the database.
Request
GET /groups/{uuid}/principals/?principal_type=service-account&service_account_description=<your-description>
Expected output
Confirm that you only fetch one of the accounts and that its description matches the filter you specified.
Fetch service groups from a group that match a certain name
Description
When the service_account_name query parameter is provided, RBAC should filter a group's service accounts by their name.
Preconditions
- IT_BYPASS_IT_CALLS environment variable set to true.
- IT_BYPASS_PERMISSIONS_MODIFY_SERVICE_ACCOUNTS environment variable set to true.
- IT_BYPASS_TOKEN_VALIDATION environment variable set to true.
- Create a group.
- Create a foo and bar service accounts principals in the database.
Request
GET /groups/{uuid}/principals/?principal_type=service-account&service_account_name=<your-name>
Expected output
Confirm that you only fetch one of the accounts and that its name matches the filter you specified.
Fetch service groups from a group that match a certain description and name
Description
When the service_account_description and service_account_name query parameters are provided, RBAC should filter a group's service accounts by their description and their name.
Preconditions
- IT_BYPASS_IT_CALLS environment variable set to true.
- IT_BYPASS_PERMISSIONS_MODIFY_SERVICE_ACCOUNTS environment variable set to true.
- IT_BYPASS_TOKEN_VALIDATION environment variable set to true.
- Create a group.
- Create a foo and bar service accounts principals in the database.
Request
GET /groups/{uuid}/principals/?principal_type=service-account&service_account_description=<your-description>&service_account_name=<your-name>
Expected output
Confirm that you fetched the accounts that match the specified criteria.