forked from databrickslabs/ucx
-
Notifications
You must be signed in to change notification settings - Fork 0
/
test_scim.py
75 lines (62 loc) · 2.43 KB
/
test_scim.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
from datetime import timedelta
import pytest
from databricks.sdk import AccountClient, WorkspaceClient
from databricks.sdk.errors import NotFound
from databricks.sdk.retries import retried
from databricks.sdk.service import iam
from databricks.labs.ucx.workspace_access.base import Permissions
from databricks.labs.ucx.workspace_access.groups import MigratedGroup, MigrationState
from databricks.labs.ucx.workspace_access.scim import ScimSupport
from . import apply_tasks
@pytest.mark.parametrize("use_permission_migration_api", [True, False])
@retried(on=[NotFound], timeout=timedelta(minutes=3))
def test_some_entitlements(
acc: AccountClient,
ws: WorkspaceClient,
make_group,
make_acc_group,
use_permission_migration_api: bool,
):
ws_group = make_group()
acc_group = make_acc_group()
acc.workspace_assignment.update(ws.get_workspace_id(), acc_group.id, [iam.WorkspacePermission.USER])
migrated_group = MigratedGroup.partial_info(ws_group, acc_group)
ws.groups.patch(
ws_group.id,
operations=[
iam.Patch(
op=iam.PatchOp.ADD,
path="entitlements",
value=[iam.ComplexValue(value="databricks-sql-access").as_dict()],
)
],
schemas=[iam.PatchSchema.URN_IETF_PARAMS_SCIM_API_MESSAGES_2_0_PATCH_OP],
)
scim_support = ScimSupport(ws)
_, before = scim_support.load_for_group(ws_group.id)
assert "databricks-sql-access" in before
if use_permission_migration_api:
MigrationState([migrated_group]).apply_to_groups_with_different_names(ws)
else:
apply_tasks(scim_support, [migrated_group])
_, after = scim_support.load_for_group(acc_group.id)
assert "databricks-sql-access" in after
@retried(on=[NotFound], timeout=timedelta(minutes=3))
def test_verify_entitlements(ws, make_group):
group_a = make_group()
ws.groups.patch(
group_a.id,
operations=[
iam.Patch(
op=iam.PatchOp.ADD,
path="entitlements",
value=[iam.ComplexValue(value="databricks-sql-access").as_dict()],
)
],
schemas=[iam.PatchSchema.URN_IETF_PARAMS_SCIM_API_MESSAGES_2_0_PATCH_OP],
)
item = Permissions(object_id=group_a.id, object_type="entitlements", raw='[{"value": "databricks-sql-access"}]')
scim_support = ScimSupport(ws)
task = scim_support.get_verify_task(item)
result = task()
assert result