def _new_group(self, group_id, display_name, group_name, ldap,
root_password):
user = identity.current.user
if ldap and not user.is_admin():
flash(_(u'Only admins can create LDAP groups'))
redirect('.')
try:
Group.by_name(group_name)
except NoResultFound:
pass
else:
flash( _(u"Group %s already exists." % group_name) )
redirect(".")
group = Group()
session.add(group)
group.record_activity(user=user, service=u'WEBUI', field=u'Group',
action=u'Created')
group.display_name = display_name
group.group_name = group_name
group.ldap = ldap
if group.ldap:
group.refresh_ldap_members()
group.root_password = root_password
if not ldap: # LDAP groups don't have owners
group.user_group_assocs.append(UserGroup(user=user, is_owner=True))
group.activity.append(GroupActivity(user, service=u'WEBUI',
action=u'Added', field_name=u'User',
old_value=None, new_value=user.user_name))
group.activity.append(GroupActivity(user, service=u'WEBUI',
action=u'Added', field_name=u'Owner',
old_value=None, new_value=user.user_name))
return group
def setUp(self):
self.selenium = self.get_selenium()
self.password = '******'
# create users
self.user_1 = data_setup.create_user(password=self.password)
self.user_2 = data_setup.create_user(password=self.password)
self.user_3 = data_setup.create_user(password=self.password)
# create admin users
self.admin_1 = data_setup.create_user(password=self.password)
self.admin_1.groups.append(Group.by_name(u'admin'))
self.admin_2 = data_setup.create_user(password=self.password)
self.admin_2.groups.append(Group.by_name(u'admin'))
# create systems
self.system_1 = data_setup.create_system(shared=True)
self.system_2 = data_setup.create_system(shared=True)
self.system_3 = data_setup.create_system(shared=False,
owner=self.user_3)
# create group and add users/systems to it
self.group_1 = data_setup.create_group()
self.user_3.groups.append(self.group_1)
self.admin_2.groups.append(self.group_1)
self.system_2.groups.append(self.group_1)
lc = data_setup.create_labcontroller()
self.system_1.lab_controller = lc
self.system_2.lab_controller = lc
self.system_3.lab_controller = lc
self.selenium.start()
def test_group_modify_add_member(self):
with session.begin():
user = data_setup.create_user()
mail_capture_thread.start_capturing()
out = run_client(['bkr', 'group-modify',
'--add-member', user.user_name,
self.group.group_name],
config = self.client_config)
with session.begin():
session.refresh(self.group)
group = Group.by_name(self.group.group_name)
self.assert_(user.user_name in
[u.user_name for u in group.users])
self.check_notification(user, group, action='Added')
try:
out = run_client(['bkr', 'group-modify',
'--add-member', 'idontexist',
self.group.group_name],
config = self.client_config)
self.fail('Must fail or die')
except ClientError as e:
self.assert_('User idontexist does not exist' in
e.stderr_output, e.stderr_output)
try:
out = run_client(['bkr', 'group-modify',
'--add-member', user.user_name,
self.group.group_name],
config = self.client_config)
self.fail('Must fail or die')
except ClientError as e:
self.assert_('User %s is already a member of group %s'
% (user.user_name, self.group.group_name)
in e.stderr_output, e.stderr_output)
with session.begin():
session.refresh(self.group)
group = Group.by_name(self.group.group_name)
self.assertEquals(group.activity[-1].action, u'Added')
self.assertEquals(group.activity[-1].field_name, u'User')
self.assertEquals(group.activity[-1].user.user_id,
self.user.user_id)
self.assertEquals(group.activity[-1].new_value, user.user_name)
self.assertEquals(group.activity[-1].service, u'HTTP')
try:
out = run_client(['bkr', 'group-modify',
'--add-member', user.user_name,
self.fake_ldap_group.group_name])
self.fail('Must fail or die')
except ClientError as e:
self.assert_('Cannot edit membership of group %s'
% self.fake_ldap_group.group_name
in e.stderr_output,e.stderr_output)
def test_group_create(self):
group_name = data_setup.unique_name(u'group%s')
display_name = u'My Group'
out = run_client([
'bkr', 'group-create', '--display-name', display_name, group_name
])
self.assert_('Group created' in out, out)
with session.begin():
group = Group.by_name(group_name)
self.assertEquals(group.display_name, display_name)
self.assertEquals(group.activity[-1].action, u'Added')
self.assertEquals(group.activity[-1].field_name, u'Owner')
self.assertEquals(group.activity[-1].new_value,
data_setup.ADMIN_USER)
self.assertEquals(group.activity[-1].service, u'HTTP')
self.assertEquals(group.activity[-2].action, u'Added')
self.assertEquals(group.activity[-2].field_name, u'User')
self.assertEquals(group.activity[-2].new_value,
data_setup.ADMIN_USER)
self.assertEquals(group.activity[-2].service, u'HTTP')
self.assertEquals(group.activity[-3].action, u'Created')
self.assertEquals(group.activity[-3].service, u'HTTP')
group_name = data_setup.unique_name(u'group%s')
out = run_client(['bkr', 'group-create', group_name])
self.assert_('Group created' in out, out)
with session.begin():
group = Group.by_name(group_name)
self.assertEqual(group.group_name, group_name)
self.assertEqual(group.display_name, group_name)
group_name = data_setup.unique_name(u'group%s')
try:
_ = run_client(['bkr', 'group-create', group_name, group_name])
self.fail('Must fail or die')
except ClientError as e:
self.assert_(
'Exactly one group name must be specified' in e.stderr_output,
e.stderr_output)
try:
_ = run_client(
['bkr', 'group-create', 'areallylonggroupname' * 20])
self.fail('Must fail or die')
except ClientError as e:
self.assertIn(
'Group name must be not more than 255 characters long',
e.stderr_output)
try:
_ = run_client([
'bkr', 'group-create', '--display-name',
'A really long group display name' * 20, 'agroup'
])
self.fail('Must fail or die')
except ClientError as e:
self.assertIn(
'Group display name must be not more than 255 characters long',
e.stderr_output)
def create_group():
"""
Creates a new user group in Beaker. The request must be
:mimetype:`application/json`.
:jsonparam string group_name: Symbolic name for the group.
:jsonparam string display_name: Human-friendly display name for the group.
:jsonparam string description: Description of the group.
:jsonparam string root_password: Optional root password for group jobs.
If this is not set, group jobs will use the root password preferences of
the job submitter.
:jsonparam string membership_type: Specifies how group membership is populated.
Possible values are:
* normal: Group is initially empty, members are explicitly added and removed by
group owner.
* ldap: Membership is populated from the LDAP group with the same group name.
* inverted: Group contains all Beaker users *except* users who have been explicitly
excluded by the group owner.
:status 201: The group was successfully created.
"""
user = identity.current.user
data = read_json_request(request)
if 'group_name' not in data:
raise BadRequest400('Missing group_name key')
if 'display_name' not in data:
raise BadRequest400('Missing display_name key')
# for backwards compatibility
if data.pop('ldap', False):
data['membership_type'] = 'ldap'
try:
Group.by_name(data['group_name'])
except NoResultFound:
pass
else:
raise Conflict409("Group '%s' already exists" % data['group_name'])
with convert_internal_errors():
group = Group.lazy_create(group_name=data['group_name'])
group.display_name = data['display_name']
group.description = data.get('description')
group.root_password = data.get('root_password')
session.add(group)
group.record_activity(user=user,
service=u'HTTP',
field=u'Group',
action=u'Created')
if data.get('membership_type'):
group.membership_type = GroupMembershipType.from_string(
data['membership_type'])
if group.membership_type == GroupMembershipType.ldap:
group.refresh_ldap_members()
else: # LDAP groups don't have any owners
group.add_member(user, is_owner=True, agent=identity.current.user)
response = jsonify(group.__json__())
response.status_code = 201
response.headers.add('Location', absolute_url(group.href))
return response
def create_group():
"""
Creates a new user group in Beaker. The request must be
:mimetype:`application/json`.
:jsonparam string group_name: Symbolic name for the group.
:jsonparam string display_name: Human-friendly display name for the group.
:jsonparam string description: Description of the group.
:jsonparam string root_password: Optional root password for group jobs.
If this is not set, group jobs will use the root password preferences of
the job submitter.
:jsonparam string membership_type: Specifies how group membership is populated.
Possible values are:
* normal: Group is initially empty, members are explicitly added and removed by
group owner.
* ldap: Membership is populated from the LDAP group with the same group name.
* inverted: Group contains all Beaker users *except* users who have been explicitly
excluded by the group owner.
:status 201: The group was successfully created.
"""
user = identity.current.user
data = read_json_request(request)
if 'group_name' not in data:
raise BadRequest400('Missing group_name key')
if 'display_name' not in data:
raise BadRequest400('Missing display_name key')
# for backwards compatibility
if data.pop('ldap', False):
data['membership_type'] = 'ldap'
try:
Group.by_name(data['group_name'])
except NoResultFound:
pass
else:
raise Conflict409("Group '%s' already exists" % data['group_name'])
with convert_internal_errors():
group = Group.lazy_create(group_name=data['group_name'])
group.display_name = data['display_name']
group.description = data.get('description')
group.root_password = data.get('root_password')
session.add(group)
group.record_activity(user=user, service=u'HTTP',
field=u'Group', action=u'Created')
if data.get('membership_type'):
group.membership_type = GroupMembershipType.from_string(
data['membership_type'])
if group.membership_type == GroupMembershipType.ldap:
group.refresh_ldap_members()
else: # LDAP groups don't have any owners
group.add_member(user, is_owner=True, agent=identity.current.user)
response = jsonify(group.__json__())
response.status_code = 201
response.headers.add('Location', absolute_url(group.href))
return response
def test_remove_user_from_owning_group(self):
with session.begin():
user = data_setup.create_user(password='******')
group_name = data_setup.unique_name('AAAAAA%s')
display_name = data_setup.unique_name('Group Display Name %s')
b = self.browser
login(b, user=self.user.user_name, password='******')
b.get(get_server_base() + 'groups/mine')
b.find_element_by_link_text('Add').click()
b.find_element_by_xpath('//input[@id="Group_display_name"]').send_keys(
display_name)
b.find_element_by_xpath('//input[@id="Group_group_name"]').send_keys(
group_name)
b.find_element_by_id('Group').submit()
b.find_element_by_xpath('//title[text()="My Groups"]')
b.find_element_by_link_text(group_name).click()
# add an user
b.find_element_by_xpath(
'//input[@id="GroupUser_user_text"]').send_keys(user.user_name)
b.find_element_by_id('GroupUser').submit()
self.mail_capture.captured_mails[:] = []
group_id = Group.by_name(group_name).group_id
username = user.user_name
user_id = user.user_id
b.find_element_by_xpath('//td[preceding-sibling::td[2]/text()="%s"]' % username)\
.find_element_by_link_text('Remove').click()
self.assertEquals(
b.find_element_by_class_name('flash').text,
'%s Removed' % username)
with session.begin():
group = Group.by_name(group_name)
self.check_notification(user, group, action='Removed')
# remove self when I am the only owner of the group
b.find_element_by_xpath('//td[preceding-sibling::td[2]/text()="%s"]' % self.user.user_name)\
.find_element_by_link_text('Remove').click()
self.assert_('Cannot remove member' in b.find_element_by_class_name(
'flash').text)
# admin should be able to remove an owner, even if only one
logout(b)
#login back as admin
login(b)
b.get(get_server_base() + 'groups/edit?group_id=%s' % group_id)
b.find_element_by_xpath('//td[preceding-sibling::td[2]/text()="%s"]' % self.user.user_name)\
.find_element_by_link_text('Remove').click()
self.assert_(
'%s Removed' %
self.user.user_name in b.find_element_by_class_name('flash').text)
def test_group_modify_grant_owner(self):
with session.begin():
user1 = data_setup.create_user()
self.group.add_member(user1)
user2 = data_setup.create_user()
self.group.add_member(user2)
user3 = data_setup.create_user()
out = run_client([
'bkr', 'group-modify', '--grant-owner', user1.user_name,
'--grant-owner', user2.user_name, self.group.group_name
],
config=self.client_config)
with session.begin():
session.refresh(self.group)
group = Group.by_name(self.group.group_name)
self.assert_(user1.user_id in [u.user_id for u in group.owners()])
self.assert_(user2.user_id in [u.user_id for u in group.owners()])
self.assertEquals(
Activity.query.filter_by(service=u'HTTP',
field_name=u'Owner',
action=u'Added',
new_value=user2.user_name).count(), 1)
group = Group.by_name(group.group_name)
self.assertEquals(group.activity[-1].action, u'Added')
self.assertEquals(group.activity[-1].field_name, u'Owner')
self.assertEquals(group.activity[-1].new_value, user2.user_name)
self.assertEquals(group.activity[-1].service, u'HTTP')
# If the user is not a group member, add the user into the members list
# first and then grant the group ownership.
out = run_client([
'bkr', 'group-modify', '--grant-owner', user3.user_name,
self.group.group_name
],
config=self.client_config)
with session.begin():
session.refresh(self.group)
group = Group.by_name(self.group.group_name)
self.assertIn(user3, group.users)
self.assertTrue(group.has_owner(user3))
try:
out = run_client([
'bkr', 'group-modify', '--grant-owner', user3.user_name,
self.fake_ldap_group.group_name
],
config=self.client_config)
self.fail('Must fail or die')
except ClientError as e:
self.assert_('Cannot edit ownership of group' in e.stderr_output,
e.stderr_output)
def test_adds_existing_user_to_admin_group(self):
with session.begin():
admin_group = Group.by_name(u'admin')
existing_user = data_setup.create_user()
self.assertNotIn(admin_group, existing_user.groups)
populate_db(user_name=existing_user.user_name)
with session.begin():
admin_group = Group.by_name(u'admin')
existing_user = User.query.get(existing_user.user_id)
self.assertIn(admin_group, existing_user.groups)
# run the same thing again, should have no effect but should not break
populate_db(user_name=existing_user.user_name)
def test_adds_existing_user_to_admin_group(self):
with session.begin():
admin_group = Group.by_name(u'admin')
existing_user = data_setup.create_user()
self.assertNotIn(admin_group, existing_user.groups)
populate_db(user_name=existing_user.user_name)
with session.begin():
admin_group = Group.by_name(u'admin')
existing_user = User.query.get(existing_user.user_id)
self.assertIn(admin_group, existing_user.groups)
# run the same thing again, should have no effect but should not break
populate_db(user_name=existing_user.user_name)
def test_adds_existing_user_to_admin_group(self):
with session.begin():
admin_group = Group.by_name(u'admin')
existing_user = data_setup.create_user()
self.assertNotIn(admin_group, existing_user.groups)
run_command('init.py', 'beaker-init', ['--user', existing_user.user_name])
with session.begin():
admin_group = Group.by_name(u'admin')
existing_user = User.query.get(existing_user.user_id)
self.assertIn(admin_group, existing_user.groups)
# run the same thing again, should have no effect but should not break
run_command('init.py', 'beaker-init', ['--user', existing_user.user_name])
def test_adds_existing_user_to_admin_group(self):
with session.begin():
admin_group = Group.by_name(u'admin')
existing_user = data_setup.create_user()
self.assertNotIn(admin_group, existing_user.groups)
run_command('init.py', 'beaker-init',
['--user', existing_user.user_name])
with session.begin():
admin_group = Group.by_name(u'admin')
existing_user = User.query.get(existing_user.user_id)
self.assertIn(admin_group, existing_user.groups)
# run the same thing again, should have no effect but should not break
run_command('init.py', 'beaker-init',
['--user', existing_user.user_name])
def test_group_modify_grant_owner(self):
with session.begin():
user1 = data_setup.create_user()
self.group.add_member(user1)
user2 = data_setup.create_user()
self.group.add_member(user2)
user3 = data_setup.create_user()
out = run_client(['bkr', 'group-modify',
'--grant-owner', user1.user_name,
'--grant-owner', user2.user_name,
self.group.group_name],
config = self.client_config)
with session.begin():
session.refresh(self.group)
group = Group.by_name(self.group.group_name)
self.assert_(user1.user_id in [u.user_id for u in group.owners()])
self.assert_(user2.user_id in [u.user_id for u in group.owners()])
self.assertEquals(Activity.query.filter_by(service=u'HTTP',
field_name=u'Owner', action=u'Added',
new_value=user2.user_name).count(), 1)
group = Group.by_name(group.group_name)
self.assertEquals(group.activity[-1].action, u'Added')
self.assertEquals(group.activity[-1].field_name, u'Owner')
self.assertEquals(group.activity[-1].new_value, user2.user_name)
self.assertEquals(group.activity[-1].service, u'HTTP')
# If the user is not a group member, add the user into the members list
# first and then grant the group ownership.
out = run_client(['bkr', 'group-modify',
'--grant-owner', user3.user_name,
self.group.group_name],
config = self.client_config)
with session.begin():
session.refresh(self.group)
group = Group.by_name(self.group.group_name)
self.assertIn(user3, group.users)
self.assertTrue(group.has_owner(user3))
try:
out = run_client(['bkr', 'group-modify',
'--grant-owner', user3.user_name,
self.fake_ldap_group.group_name],
config = self.client_config)
self.fail('Must fail or die')
except ClientError, e:
self.assert_('Cannot modify group ownership')
def test_remove_user_from_owning_group(self):
with session.begin():
user = data_setup.create_user(password='******')
group_name = data_setup.unique_name('AAAAAA%s')
display_name = data_setup.unique_name('Group Display Name %s')
b = self.browser
login(b, user=self.user.user_name, password='******')
b.get(get_server_base() + 'groups/mine')
b.find_element_by_link_text('Add').click()
b.find_element_by_xpath('//input[@id="Group_display_name"]').send_keys(display_name)
b.find_element_by_xpath('//input[@id="Group_group_name"]').send_keys(group_name)
b.find_element_by_id('Group').submit()
b.find_element_by_xpath('//title[text()="My Groups"]')
b.find_element_by_link_text(group_name).click()
# add an user
b.find_element_by_xpath('//input[@id="GroupUser_user_text"]').send_keys(user.user_name)
b.find_element_by_id('GroupUser').submit()
self.mail_capture.captured_mails[:] = []
group_id = Group.by_name(group_name).group_id
username = user.user_name
user_id = user.user_id
b.find_element_by_xpath('//td[preceding-sibling::td[2]/text()="%s"]' % username)\
.find_element_by_link_text('Remove').click()
self.assertEquals(b.find_element_by_class_name('flash').text,
'%s Removed' % username)
with session.begin():
group = Group.by_name(group_name)
self.check_notification(user, group, action='Removed')
# remove self when I am the only owner of the group
b.find_element_by_xpath('//td[preceding-sibling::td[2]/text()="%s"]' % self.user.user_name)\
.find_element_by_link_text('Remove').click()
self.assert_('Cannot remove member' in b.find_element_by_class_name('flash').text)
# admin should be able to remove an owner, even if only one
logout(b)
#login back as admin
login(b)
b.get(get_server_base() + 'groups/edit?group_id=%s' % group_id)
b.find_element_by_xpath('//td[preceding-sibling::td[2]/text()="%s"]' % self.user.user_name)\
.find_element_by_link_text('Remove').click()
self.assert_('%s Removed' % self.user.user_name in b.find_element_by_class_name('flash').text)
def revoke_owner(self, group_id=None, id=None, **kw):
if group_id is not None and id is not None:
group = Group.by_id(group_id)
user = User.by_id(id)
service = 'WEBUI'
else:
group = Group.by_name(kw['group_name'])
user = User.by_user_name(kw['member_name'])
service = 'XMLRPC'
if group.membership_type == GroupMembershipType.ldap:
raise GroupOwnerModificationForbidden('An LDAP group does not have an owner')
if not group.can_edit(identity.current.user):
raise GroupOwnerModificationForbidden('You are not an owner of group %s' % group)
if user not in group.users:
raise GroupOwnerModificationForbidden('User is not a group member')
if len(group.owners())==1 and not identity.current.user.is_admin():
raise GroupOwnerModificationForbidden('Cannot remove the only owner')
else:
group.revoke_ownership(user=user, agent=identity.current.user, service=service)
# hack to return the user removing this owner
# so that if the user was logged in as a group
# owner, he/she can be redirected appropriately
return str(identity.current.user.user_id)
def test_group_modify_group_name(self):
group_name = 'mynewgroup'
out = run_client([
'bkr', 'group-modify', '--group-name', group_name,
self.group.group_name
],
config=self.client_config)
with session.begin():
session.refresh(self.group)
group = Group.by_name(group_name)
self.assertEquals(group.group_name, group_name)
self.assertEquals(group.activity[-1].action, u'Changed')
self.assertEquals(group.activity[-1].field_name, u'Name')
self.assertEquals(group.activity[-1].user.user_id,
self.user.user_id)
self.assertEquals(group.activity[-1].new_value, group_name)
self.assertEquals(group.activity[-1].service, u'XMLRPC')
try:
out = run_client([
'bkr', 'group-modify', '--group-name',
'areallylonggroupname' * 20, self.group.group_name
],
config=self.client_config)
self.fail('Must fail or die')
except ClientError, e:
max_length = Group.group_name.property.columns[0].type.length
self.assertRegexpMatches(
e.stderr_output,
'Enter a value (less|not more) than %r characters long' %
max_length)
def save_system_access_policy(fqdn):
system = _get_system_by_FQDN(fqdn)
if not system.can_edit_policy(identity.current.user):
raise Forbidden403('Cannot edit system policy')
if system.custom_access_policy:
policy = system.custom_access_policy
else:
policy = system.custom_access_policy = SystemAccessPolicy()
data = read_json_request(request)
# Figure out what is added, what is removed.
# Rules are immutable, so if it has an id it is unchanged,
# if it has no id it is new.
kept_rule_ids = frozenset(r['id'] for r in data['rules'] if 'id' in r)
removed = []
for old_rule in policy.rules:
if old_rule.id not in kept_rule_ids:
removed.append(old_rule)
for old_rule in removed:
system.record_activity(user=identity.current.user, service=u'HTTP',
field=u'Access Policy Rule', action=u'Removed',
old=repr(old_rule))
policy.rules.remove(old_rule)
for rule in data['rules']:
if 'id' not in rule:
user = User.by_user_name(rule['user']) if rule['user'] else None
group = Group.by_name(rule['group']) if rule['group'] else None
permission = SystemPermission.from_string(rule['permission'])
new_rule = policy.add_rule(user=user, group=group,
everybody=rule['everybody'], permission=permission)
system.record_activity(user=identity.current.user, service=u'HTTP',
field=u'Access Policy Rule', action=u'Added',
new=repr(new_rule))
return '', 204
def test_admin_cannot_rename_protected_group(self):
# See https://bugzilla.redhat.com/show_bug.cgi?id=961206
protected_group_name = u'admin'
with session.begin():
group = Group.by_name(protected_group_name)
expected_display_name = group.display_name
# Run command as the default admin user
try:
out = run_client(['bkr', 'group-modify',
'--group-name', 'new_admin',
'--display-name', 'this is also unchanged',
protected_group_name])
self.fail('Must fail or die')
except ClientError as e:
self.assert_('Cannot rename protected group' in
e.stderr_output, e.stderr_output)
# Check the whole request is ignored if the name change is rejected
with session.begin():
session.refresh(group)
self.assertEquals(group.group_name, protected_group_name)
self.assertEquals(group.display_name, expected_display_name)
# However, changing just the display name is fine
new_display_name = 'Tested admin group'
out = run_client(['bkr', 'group-modify',
'--display-name', new_display_name,
protected_group_name])
with session.begin():
session.refresh(group)
self.assertEquals(group.group_name, protected_group_name)
self.assertEquals(group.display_name, new_display_name)
def test_group_modify_group_name(self):
group_name = u'mynewgroup'
out = run_client(['bkr', 'group-modify',
'--group-name', group_name,
self.group.group_name],
config = self.client_config)
with session.begin():
session.refresh(self.group)
group = Group.by_name(group_name)
self.assertEquals(group.group_name, group_name)
self.assertEquals(group.activity[-1].action, u'Changed')
self.assertEquals(group.activity[-1].field_name, u'Name')
self.assertEquals(group.activity[-1].user.user_id,
self.user.user_id)
self.assertEquals(group.activity[-1].new_value, group_name)
self.assertEquals(group.activity[-1].service, u'HTTP')
try:
out = run_client(['bkr', 'group-modify',
'--group-name', 'areallylonggroupname'*20,
self.group.group_name],
config = self.client_config)
self.fail('Must fail or die')
except ClientError,e:
self.assertIn(
'Group name must be not more than 255 characters long',
e.stderr_output)
def create_admin(user_name=None, **kwargs):
if user_name is None:
user_name = unique_name(u'admin%s')
user = create_user(user_name=user_name, **kwargs)
group = Group.by_name(u'admin')
group.add_member(user, service=u'testdata')
return user
def test_remove_self_admin_group(self):
with session.begin():
user = data_setup.create_admin(password='******')
b = self.browser
login(b, user=user.user_name, password='******')
# admin should be in groups/mine
b.get(get_server_base() + 'groups/mine')
b.find_element_by_link_text('admin').click()
# remove self
b.find_element_by_xpath('//td/a[text()="Remove (-)" and ../preceding-sibling::td[2]/text()="%s"]'
% user.user_name).click()
# admin should not be in groups/mine
b.get(get_server_base() + 'groups/mine')
self.assertTrue(not is_text_present(b, 'admin'))
logout(b)
# login as admin
login(b)
group = Group.by_name('admin')
group_users = group.users
# remove all other users from 'admin'
b.get(get_server_base() + 'groups/edit?group_id=1')
for usr in group_users:
if usr.user_id != 1:
b.find_element_by_xpath('//td/a[text()="Remove (-)" and ../preceding-sibling::td[2]/text()="%s"]'
% usr.user_name).click()
# attempt to remove admin user
b.find_element_by_xpath('//a[@href="removeUser?group_id=1&id=1"]').click()
self.assert_('Cannot remove member' in b.find_element_by_class_name('flash').text)
def add_system_access_policy_rule(fqdn):
system = _get_system_by_FQDN(fqdn)
if not system.can_edit_policy(identity.current.user):
raise Forbidden403('Cannot edit system policy')
if system.custom_access_policy:
policy = system.custom_access_policy
else:
policy = system.custom_access_policy = SystemAccessPolicy()
rule = read_json_request(request)
if rule['user']:
user = User.by_user_name(rule['user'])
if not user:
raise BadRequest400("User '%s' does not exist" % rule['user'])
else:
user = None
if rule['group']:
try:
group = Group.by_name(rule['group'])
except NoResultFound:
raise BadRequest400("Group '%s' does not exist" % rule['group'])
else:
group = None
try:
permission = SystemPermission.from_string(rule['permission'])
except ValueError:
raise BadRequest400
new_rule = policy.add_rule(user=user, group=group,
everybody=rule['everybody'], permission=permission)
system.record_activity(user=identity.current.user, service=u'HTTP',
field=u'Access Policy Rule', action=u'Added',
new=repr(new_rule))
return '', 204
def test_create_new_group(self):
b = self.browser
login(b, user=self.user.user_name, password='******')
b.get(get_server_base() + 'groups/mine')
b.find_element_by_link_text('Add ( + )').click()
b.find_element_by_xpath('//input[@id="Group_display_name"]'). \
send_keys('Group FBZ')
b.find_element_by_xpath('//input[@id="Group_group_name"]'). \
send_keys('FBZ')
b.find_element_by_xpath('//input[@id="Group_root_password"]'). \
send_keys('blapppy7')
b.find_element_by_xpath('//input[@value="Save"]').click()
b.find_element_by_xpath('//title[text()="My Groups"]')
b.find_element_by_link_text('FBZ').click()
with session.begin():
self.assertEquals(Activity.query.filter_by(service=u'WEBUI',
field_name=u'Group', action=u'Added',
new_value=u'Group FBZ').count(), 1)
group = Group.by_name(u'FBZ')
self.assertEquals(group.display_name, u'Group FBZ')
self.assert_(group.has_owner(self.user))
self.assertEquals(group.activity[-1].action, u'Added')
self.assertEquals(group.activity[-1].field_name, u'Owner')
self.assertEquals(group.activity[-1].new_value, self.user.user_name)
self.assertEquals(group.activity[-1].service, u'WEBUI')
self.assertEquals(group.activity[-2].action, u'Added')
self.assertEquals(group.activity[-2].field_name, u'User')
self.assertEquals(group.activity[-2].new_value, self.user.user_name)
self.assertEquals(group.activity[-2].service, u'WEBUI')
self.failUnless(crypt.crypt('blapppy7', group.root_password) ==
group.root_password, group.root_password)
def grant_owner(self, group_id=None, id=None, **kw):
if group_id is not None and id is not None:
group = Group.by_id(group_id)
user = User.by_id(id)
service = 'WEBUI'
else:
group = Group.by_name(kw['group_name'])
user = User.by_user_name(kw['member_name'])
service = 'XMLRPC'
if group.ldap:
raise GroupOwnerModificationForbidden(
'An LDAP group does not have an owner')
if not group.can_edit(identity.current.user):
raise GroupOwnerModificationForbidden(
'You are not an owner of the group %s' % group)
if user not in group.users:
raise GroupOwnerModificationForbidden('User is not a group member')
else:
for assoc in group.user_group_assocs:
if assoc.user == user:
if not assoc.is_owner:
assoc.is_owner = True
group.record_activity(user=identity.current.user,
service=service,
field=u'Owner',
action='Added',
old=u'',
new=user.user_name)
return ''
def members(self, group_name):
"""
List the members of an existing group.
:param group_name: An existing group name
:type group_name: string
Returns a list of the members (a dictionary containing each
member's username, email, and whether the member is an owner
or not).
"""
try:
group = Group.by_name(group_name)
except NoResultFound:
raise BX(_(u'Group does not exist: %s.' % group_name))
users=[]
for u in group.users:
user={}
user['username']=u.user_name
user['email'] = u.email_address
if group.has_owner(u):
user['owner'] = True
else:
user['owner'] = False
users.append(user)
return users
def grant_owner(self, group_id=None, id=None, **kw):
if group_id is not None and id is not None:
group = Group.by_id(group_id)
user = User.by_id(id)
service = 'WEBUI'
else:
group = Group.by_name(kw['group_name'])
user = User.by_user_name(kw['member_name'])
service = 'XMLRPC'
if group.ldap:
raise GroupOwnerModificationForbidden('An LDAP group does not have an owner')
if not group.can_edit(identity.current.user):
raise GroupOwnerModificationForbidden('You are not an owner of the group %s' % group)
if user not in group.users:
raise GroupOwnerModificationForbidden('User is not a group member')
else:
for assoc in group.user_group_assocs:
if assoc.user == user:
if not assoc.is_owner:
assoc.is_owner = True
group.record_activity(user=identity.current.user, service=service,
field=u'Owner', action='Added',
old=u'', new=user.user_name)
return ''
def members(self, group_name):
"""
List the members of an existing group.
:param group_name: An existing group name
:type group_name: string
Returns a list of the members (a dictionary containing each
member's username, email, and whether the member is an owner
or not).
"""
try:
group = Group.by_name(group_name)
except NoResultFound:
raise BX(_(u'Group does not exist: %s.' % group_name))
users = []
for u in group.users:
user = {}
user['username'] = u.user_name
user['email'] = u.email_address
if group.has_owner(u):
user['owner'] = True
else:
user['owner'] = False
users.append(user)
return users
def test_ldap_group(self):
if not config.get("identity.ldap.enabled", False):
raise SkipTest('Server is not configured for LDAP')
group_name = u'wyfp'
display_name = u'My LDAP Group'
out = run_client(['bkr', 'group-create', '--ldap',
'--display-name', display_name,
group_name])
group = Group.by_name(group_name)
self.assertEquals(group.membership_type, GroupMembershipType.ldap)
self.assertEquals(group.users, [User.by_user_name(u'asaha')])
with session.begin():
rand_user = data_setup.create_user(password = '******')
rand_client_config = create_client_config(username=rand_user.user_name,
password='******')
group_name = u'alp'
display_name = u'ALP'
try:
out = run_client(['bkr', 'group-create', '--ldap',
'--display-name', display_name,
group_name],
config = rand_client_config)
self.fail('Must fail or die')
except ClientError, e:
self.assert_('Only admins can create LDAP groups' in
e.stderr_output)
def _from_csv(cls,system,data,csv_type,log):
"""
Import data from CSV file into system.groups
"""
if 'group' in data and data['group']:
try:
group = Group.by_name(data['group'])
except InvalidRequestError:
group = Group(group_name=data['group'],
display_name=data['group'])
session.add(group)
deleted = False
if 'deleted' in data:
deleted = smart_bool(data['deleted'])
if deleted:
if group in system.groups:
activity = SystemActivity(identity.current.user, 'CSV', 'Removed', 'group', '%s' % group, '')
system.activity.append(activity)
system.groups.remove(group)
else:
if group not in system.groups:
system.groups.append(group)
activity = SystemActivity(identity.current.user, 'CSV', 'Added', 'group', '', '%s' % group)
system.activity.append(activity)
else:
log.append("%s: group can't be empty!" % system.fqdn)
return False
return True
def from_csv(cls,user,data,log):
"""
Import data from CSV file into user.groups
"""
if 'group' in data and data['group']:
try:
group = Group.by_name(data['group'])
except InvalidRequestError:
group = Group(group_name=data['group'],
display_name=data['group'])
session.add(group)
deleted = False
if 'deleted' in data:
deleted = smart_bool(data['deleted'])
if deleted:
if group in user.groups:
group.record_activity(user=identity.current.user, service=u'CSV',
field=u'User', action=u'Removed', old=user)
user.groups.remove(group)
else:
if group not in user.groups:
group.record_activity(user=identity.current.user, service=u'CSV',
field=u'User', action=u'Added', new=user)
user.groups.append(group)
else:
log.append("%s: group can't be empty!" % user)
return False
return True
def from_csv(cls,user,data,log):
"""
Import data from CSV file into user.groups
"""
if 'group' in data and data['group']:
try:
group = Group.by_name(data['group'])
except InvalidRequestError:
group = Group(group_name=data['group'],
display_name=data['group'])
session.add(group)
deleted = False
if 'deleted' in data:
deleted = smart_bool(data['deleted'])
if deleted:
if group in user.groups:
group.remove_member(user, service=u'CSV',
agent=identity.current.user)
else:
if group not in user.groups:
group.add_member(user, service=u'CSV',
agent=identity.current.user)
else:
log.append("%s: group can't be empty!" % user)
return False
return True
def test_create_new_group(self):
b = self.browser
login(b, user=self.user.user_name, password='******')
b.get(get_server_base() + 'groups/mine')
b.find_element_by_link_text('Add').click()
b.find_element_by_xpath('//input[@id="Group_display_name"]'). \
send_keys('Group FBZ')
b.find_element_by_xpath('//input[@id="Group_group_name"]'). \
send_keys('FBZ')
b.find_element_by_xpath('//input[@id="Group_root_password"]'). \
send_keys('blapppy7')
b.find_element_by_id('Group').submit()
b.find_element_by_xpath('//title[text()="My Groups"]')
b.find_element_by_link_text('FBZ').click()
with session.begin():
group = Group.by_name(u'FBZ')
self.assertEquals(group.display_name, u'Group FBZ')
self.assert_(group.has_owner(self.user))
self.assertEquals(group.activity[-1].action, u'Added')
self.assertEquals(group.activity[-1].field_name, u'Owner')
self.assertEquals(group.activity[-1].new_value,
self.user.user_name)
self.assertEquals(group.activity[-1].service, u'WEBUI')
self.assertEquals(group.activity[-2].action, u'Added')
self.assertEquals(group.activity[-2].field_name, u'User')
self.assertEquals(group.activity[-2].new_value,
self.user.user_name)
self.assertEquals(group.activity[-2].service, u'WEBUI')
self.assertEquals(group.activity[-3].action, u'Created')
self.assertEquals(group.activity[-3].service, u'WEBUI')
self.assertEquals('blapppy7', group.root_password)
def test_group_modify_add_member(self):
with session.begin():
user = data_setup.create_user()
out = run_client(['bkr', 'group-modify',
'--add-member', user.user_name,
self.group.group_name],
config = self.client_config)
with session.begin():
session.refresh(self.group)
group = Group.by_name(self.group.group_name)
self.assert_(user.user_name in
[u.user_name for u in group.users])
self.check_notification(user, group, action='Added')
try:
out = run_client(['bkr', 'group-modify',
'--add-member', 'idontexist',
self.group.group_name],
config = self.client_config)
self.fail('Must fail or die')
except ClientError, e:
self.assert_('User does not exist' in
e.stderr_output, e.stderr_output)
def process_xmljob(self, xmljob, user, ignore_missing_tasks=False):
# We start with the assumption that the owner == 'submitting user', until
# we see otherwise.
submitter = user
if user.rootpw_expired:
raise BX(
_('Your root password has expired, please change or clear it in order to submit jobs.'
))
owner_name = xmljob.get_xml_attr('user', unicode, None)
if owner_name:
owner = User.by_user_name(owner_name)
if owner is None:
raise ValueError('%s is not a valid user name' % owner_name)
if not submitter.is_delegate_for(owner):
raise ValueError(
'%s is not a valid submission delegate for %s' %
(submitter, owner))
else:
owner = user
group_name = xmljob.get_xml_attr('group', unicode, None)
group = None
if group_name:
try:
group = Group.by_name(group_name)
except NoResultFound, e:
raise ValueError('%s is not a valid group' % group_name)
if group not in owner.groups:
raise BX(
_(u'User %s is not a member of group %s' %
(owner.user_name, group.group_name)))
def process_xmljob(self, xmljob, user, ignore_missing_tasks=False):
# We start with the assumption that the owner == 'submitting user', until
# we see otherwise.
submitter = user
if user.rootpw_expired:
raise BX(_('Your root password has expired, please change or clear it in order to submit jobs.'))
owner_name = xmljob.get_xml_attr('user', unicode, None)
if owner_name:
owner = User.by_user_name(owner_name)
if owner is None:
raise ValueError('%s is not a valid user name' % owner_name)
if not submitter.is_delegate_for(owner):
raise ValueError('%s is not a valid submission delegate for %s' % (submitter, owner))
else:
owner = user
group_name = xmljob.get_xml_attr('group', unicode, None)
group = None
if group_name:
try:
group = Group.by_name(group_name)
except NoResultFound, e:
raise ValueError('%s is not a valid group' % group_name)
if group not in owner.groups:
raise BX(_(u'User %s is not a member of group %s' % (owner.user_name, group.group_name)))
def create_admin(user_name=None, **kwargs):
if user_name is None:
user_name = unique_name(u'admin%s')
user = create_user(user_name=user_name, **kwargs)
group = Group.by_name(u'admin')
group.add_member(user, service=u'testdata')
return user
def test_group_modify_add_member(self):
with session.begin():
user = data_setup.create_user()
out = run_client([
'bkr', 'group-modify', '--add-member', user.user_name,
self.group.group_name
],
config=self.client_config)
with session.begin():
session.refresh(self.group)
group = Group.by_name(self.group.group_name)
self.assert_(user.user_name in [u.user_name for u in group.users])
self.check_notification(user, group, action='Added')
try:
out = run_client([
'bkr', 'group-modify', '--add-member', 'idontexist',
self.group.group_name
],
config=self.client_config)
self.fail('Must fail or die')
except ClientError, e:
self.assert_('User idontexist does not exist' in e.stderr_output,
e.stderr_output)
def test_group_modify_group_name(self):
group_name = u'mynewgroup'
out = run_client([
'bkr', 'group-modify', '--group-name', group_name,
self.group.group_name
],
config=self.client_config)
with session.begin():
session.refresh(self.group)
group = Group.by_name(group_name)
self.assertEquals(group.group_name, group_name)
self.assertEquals(group.activity[-1].action, u'Changed')
self.assertEquals(group.activity[-1].field_name, u'Name')
self.assertEquals(group.activity[-1].user.user_id,
self.user.user_id)
self.assertEquals(group.activity[-1].new_value, group_name)
self.assertEquals(group.activity[-1].service, u'HTTP')
try:
out = run_client([
'bkr', 'group-modify', '--group-name',
'areallylonggroupname' * 20, self.group.group_name
],
config=self.client_config)
self.fail('Must fail or die')
except ClientError, e:
self.assertIn(
'Group name must be not more than 255 characters long',
e.stderr_output)
def from_csv(cls, user, data, log):
"""
Import data from CSV file into user.groups
"""
if 'group' in data and data['group']:
try:
group = Group.by_name(data['group'])
except InvalidRequestError:
group = Group(group_name=data['group'],
display_name=data['group'])
session.add(group)
deleted = False
if 'deleted' in data:
deleted = smart_bool(data['deleted'])
if deleted:
if group in user.groups:
group.remove_member(user,
service=u'CSV',
agent=identity.current.user)
else:
if group not in user.groups:
group.add_member(user,
service=u'CSV',
agent=identity.current.user)
else:
log.append("%s: group can't be empty!" % user)
return False
return True
def test_ldap_group(self):
group_name = u'wyfp'
display_name = u'My LDAP Group'
out = run_client([
'bkr', 'group-create', '--ldap', '--display-name', display_name,
group_name
])
group = Group.by_name(group_name)
self.assertEquals(group.membership_type, GroupMembershipType.ldap)
self.assertEquals(group.users, [User.by_user_name(u'asaha')])
with session.begin():
rand_user = data_setup.create_user(password='******')
rand_client_config = create_client_config(username=rand_user.user_name,
password='******')
group_name = u'alp'
display_name = u'ALP'
try:
out = run_client([
'bkr', 'group-create', '--ldap', '--display-name',
display_name, group_name
],
config=rand_client_config)
self.fail('Must fail or die')
except ClientError, e:
self.assert_(
'Only admins can create LDAP groups' in e.stderr_output)
def revoke_owner(self, group_id=None, id=None, **kw):
if group_id is not None and id is not None:
group = Group.by_id(group_id)
user = User.by_id(id)
service = 'WEBUI'
else:
group = Group.by_name(kw['group_name'])
user = User.by_user_name(kw['member_name'])
service = 'XMLRPC'
if group.membership_type == GroupMembershipType.ldap:
raise GroupOwnerModificationForbidden(
'An LDAP group does not have an owner')
if not group.can_edit(identity.current.user):
raise GroupOwnerModificationForbidden(
'You are not an owner of group %s' % group)
if user not in group.users:
raise GroupOwnerModificationForbidden('User is not a group member')
if len(group.owners()) == 1 and not identity.current.user.is_admin():
raise GroupOwnerModificationForbidden(
'Cannot remove the only owner')
else:
group.revoke_ownership(user=user,
agent=identity.current.user,
service=service)
# hack to return the user removing this owner
# so that if the user was logged in as a group
# owner, he/she can be redirected appropriately
return str(identity.current.user.user_id)
def revoke_owner(self, group_id=None, id=None, **kw):
if group_id is not None and id is not None:
group = Group.by_id(group_id)
user = User.by_id(id)
service = 'WEBUI'
else:
group = Group.by_name(kw['group_name'])
user = User.by_user_name(kw['member_name'])
service = 'XMLRPC'
if group.ldap:
raise GroupOwnerModificationForbidden('An LDAP group does not have an owner')
if not group.can_edit(identity.current.user):
raise GroupOwnerModificationForbidden('You are not an owner of group %s' % group)
if user not in group.users:
raise GroupOwnerModificationForbidden('User is not a group member')
if len(group.owners())==1 and not identity.current.user.is_admin():
raise GroupOwnerModificationForbidden('Cannot remove the only owner')
else:
for assoc in group.user_group_assocs:
if assoc.user == user:
if assoc.is_owner:
assoc.is_owner = False
group.record_activity(user=identity.current.user, service=service,
field=u'Owner', action='Removed',
old=user.user_name, new=u'')
# hack to return the user removing this owner
# so that if the user was logged in as a group
# owner, he/she can be redirected appropriately
return str(identity.current.user.user_id)
def test_ldap_group(self):
group_name = 'wyfp'
display_name = 'My LDAP Group'
out = run_client(['bkr', 'group-create', '--ldap',
'--display-name', display_name,
group_name])
group = Group.by_name(group_name)
self.assertEquals(group.ldap, True)
self.assertEquals(group.users, [User.by_user_name(u'asaha')])
with session.begin():
rand_user = data_setup.create_user(password = '******')
rand_client_config = create_client_config(username=rand_user.user_name,
password='******')
group_name = 'alp'
display_name = 'ALP'
try:
out = run_client(['bkr', 'group-create', '--ldap',
'--display-name', display_name,
group_name],
config = rand_client_config)
self.fail('Must fail or die')
except ClientError, e:
self.assert_('Only admins can create LDAP groups' in
e.stderr_output)
def test_group_modify_group_name(self):
group_name = 'mynewgroup'
out = run_client(['bkr', 'group-modify',
'--group-name', group_name,
self.group.group_name],
config = self.client_config)
with session.begin():
session.refresh(self.group)
group = Group.by_name(group_name)
self.assertEquals(group.group_name, group_name)
self.assertEquals(group.activity[-1].action, u'Changed')
self.assertEquals(group.activity[-1].field_name, u'Name')
self.assertEquals(group.activity[-1].user.user_id,
self.user.user_id)
self.assertEquals(group.activity[-1].new_value, group_name)
self.assertEquals(group.activity[-1].service, u'XMLRPC')
try:
out = run_client(['bkr', 'group-modify',
'--group-name', 'areallylonggroupname'*20,
self.group.group_name],
config = self.client_config)
self.fail('Must fail or die')
except ClientError,e:
max_length = Group.group_name.property.columns[0].type.length
self.assertRegexpMatches(e.stderr_output,
'Enter a value (less|not more) than %r characters long' % max_length)
def test_create_new_group(self):
b = self.browser
login(b, user=self.user.user_name, password='******')
b.get(get_server_base() + 'groups/mine')
b.find_element_by_link_text('Add').click()
b.find_element_by_xpath('//input[@id="Group_display_name"]'). \
send_keys('Group FBZ')
b.find_element_by_xpath('//input[@id="Group_group_name"]'). \
send_keys('FBZ')
b.find_element_by_xpath('//input[@id="Group_root_password"]'). \
send_keys('blapppy7')
b.find_element_by_id('Group').submit()
b.find_element_by_xpath('//title[text()="My Groups"]')
b.find_element_by_link_text('FBZ').click()
with session.begin():
group = Group.by_name(u'FBZ')
self.assertEquals(group.display_name, u'Group FBZ')
self.assert_(group.has_owner(self.user))
self.assertEquals(group.activity[-1].action, u'Added')
self.assertEquals(group.activity[-1].field_name, u'Owner')
self.assertEquals(group.activity[-1].new_value, self.user.user_name)
self.assertEquals(group.activity[-1].service, u'WEBUI')
self.assertEquals(group.activity[-2].action, u'Added')
self.assertEquals(group.activity[-2].field_name, u'User')
self.assertEquals(group.activity[-2].new_value, self.user.user_name)
self.assertEquals(group.activity[-2].service, u'WEBUI')
self.assertEquals(group.activity[-3].action, u'Created')
self.assertEquals(group.activity[-3].service, u'WEBUI')
self.assertEquals('blapppy7', group.root_password)
def grant_owner(self, group_id=None, id=None, **kw):
if group_id is not None and id is not None:
group = Group.by_id(group_id)
user = User.by_id(id)
service = 'WEBUI'
else:
group = Group.by_name(kw['group_name'])
user = User.by_user_name(kw['member_name'])
service = 'XMLRPC'
if group.membership_type == GroupMembershipType.ldap:
raise GroupOwnerModificationForbidden(
'An LDAP group does not have an owner')
if not group.can_edit(identity.current.user):
raise GroupOwnerModificationForbidden(
'You are not an owner of the group %s' % group)
if user not in group.users:
raise GroupOwnerModificationForbidden('User is not a group member')
else:
group.grant_ownership(user=user,
agent=identity.current.user,
service=service)
return ''
def test_add_remove_owner_group(self):
with session.begin():
user = data_setup.create_user(password='******')
group = data_setup.create_group(owner=user)
user1 = data_setup.create_user(password='******')
b = self.browser
login(b, user=user.user_name, password='******')
b.get(get_server_base() + 'groups/mine')
# remove self (as only owner)
b.find_element_by_link_text(group.group_name).click()
b.find_element_by_xpath('//td[preceding-sibling::td/text()="%s"]' % user.user_name)\
.find_element_by_link_text('Remove').click()
flash_text = b.find_element_by_class_name('flash').text
self.assert_("Cannot remove the only owner" in flash_text)
# add a new user as owner
b.find_element_by_xpath('//input[@id="GroupUser_user_text"]').send_keys(user1.user_name)
b.find_element_by_id('GroupUser').submit()
b.find_element_by_xpath('//td[text()="%s"]' % user1.user_name)
b.find_element_by_xpath('//td[preceding-sibling::td/text()="%s"]' % user1.user_name)\
.find_element_by_link_text('Add').click()
b.find_element_by_xpath('//td[preceding-sibling::td/text()="%s"]' % user1.user_name)\
.find_element_by_link_text('Remove')
logout(b)
# login as the new user and check for ownership
login(b, user=user1.user_name, password='******')
b.get(get_server_base() + 'groups/mine')
b.find_element_by_link_text(group.group_name).click()
b.find_element_by_xpath('//input')
with session.begin():
self.assertEquals(Activity.query.filter_by(service=u'WEBUI',
field_name=u'Owner', action=u'Added',
new_value=user1.user_name).count(), 1)
group = Group.by_name(group.group_name)
self.assert_(group.has_owner(user1))
self.assertEquals(group.activity[-1].action, u'Added')
self.assertEquals(group.activity[-1].field_name, u'Owner')
self.assertEquals(group.activity[-1].new_value, user1.user_name)
self.assertEquals(group.activity[-1].service, u'WEBUI')
# remove self as owner
b.find_element_by_xpath('//td[preceding-sibling::td/text()="%s"]' % user1.user_name)\
.find_element_by_link_text('Remove').click()
b.find_element_by_xpath('//title[text()="My Groups"]')
with session.begin():
self.assertEquals(Activity.query.filter_by(service=u'WEBUI',
field_name=u'Owner', action=u'Removed',
old_value=user1.user_name).count(), 1)
session.refresh(group)
self.assertEquals(group.activity[-1].action, u'Removed')
self.assertEquals(group.activity[-1].field_name, u'Owner')
self.assertEquals(group.activity[-1].old_value, user1.user_name)
self.assertEquals(group.activity[-1].service, u'WEBUI')
def save(self,
group_id=None,
display_name=None,
group_name=None,
ldap=False,
root_password=None,
**kwargs):
user = identity.current.user
if ldap and not user.is_admin():
flash(_(u'Only admins can create LDAP groups'))
redirect('mine')
try:
group = Group.by_id(group_id)
except DatabaseLookupError:
flash(_(u"Group %s does not exist." % group_id))
redirect('mine')
try:
Group.by_name(group_name)
except NoResultFound:
pass
else:
if group_name != group.group_name:
flash(
_(u'Failed to update group %s: Group name already exists: %s'
% (group.group_name, group_name)))
redirect('mine')
if not group.can_edit(user):
flash(_(u'You are not an owner of group %s' % group))
redirect('../groups/mine')
try:
group.set_name(user, u'WEBUI', group_name)
group.set_display_name(user, u'WEBUI', display_name)
group.ldap = ldap
group.set_root_password(user, u'WEBUI', root_password)
except BeakerException, err:
session.rollback()
flash(_(u'Failed to update group %s: %s' %
(group.group_name, err)))
redirect('.')
def test_group_description(self):
group_name = data_setup.unique_name(u'group%s')
description = 'This is a boring group'
out = run_client(
['bkr', 'group-create', '--description', description, group_name])
self.assert_('Group created' in out, out)
with session.begin():
group = Group.by_name(group_name)
self.assertEquals(group.description, description)
def test_group_modify_revoke_owner(self):
with session.begin():
user1 = data_setup.create_user()
self.group.add_member(user1)
user2 = data_setup.create_user()
self.group.add_member(user2)
user3 = data_setup.create_user()
out = run_client([
'bkr', 'group-modify', '--grant-owner', user1.user_name,
'--grant-owner', user2.user_name, self.group.group_name
],
config=self.client_config)
out = run_client([
'bkr', 'group-modify', '--revoke-owner', user1.user_name,
'--revoke-owner', user2.user_name, self.group.group_name
],
config=self.client_config)
with session.begin():
session.refresh(self.group)
group = Group.by_name(self.group.group_name)
self.assert_(
user1.user_id not in [u.user_id for u in group.owners()])
self.assert_(
user2.user_id not in [u.user_id for u in group.owners()])
self.assertEquals(
Activity.query.filter_by(service=u'HTTP',
field_name=u'Owner',
action=u'Removed',
old_value=user2.user_name).count(), 1)
self.assertEquals(group.activity[-1].action, u'Removed')
self.assertEquals(group.activity[-1].field_name, u'Owner')
self.assertEquals(group.activity[-1].old_value, user2.user_name)
self.assertEquals(group.activity[-1].service, u'HTTP')
try:
out = run_client([
'bkr', 'group-modify', '--revoke-owner', user3.user_name,
self.group.group_name
],
config=self.client_config)
self.fail('Must fail or die')
except ClientError as e:
self.assert_('User is not a member of group' in e.stderr_output)
try:
out = run_client([
'bkr', 'group-modify', '--revoke-owner', user3.user_name,
self.fake_ldap_group.group_name
],
config=self.client_config)
self.fail('Must fail or die')
except ClientError as e:
self.assert_('Cannot edit ownership of group' in e.stderr_output,
e.stderr_output)
def create(self, kw):
"""
Creates a new group.
The *kw* argument must be an XML-RPC structure (dict)
specifying the following keys:
'group_name'
Group name (maximum 16 characters)
'display_name'
Group display name
'ldap'
Populate users from LDAP (True/False)
Returns a message whether the group was successfully created or
raises an exception on failure.
"""
display_name = kw.get('display_name')
group_name = kw.get('group_name')
ldap = kw.get('ldap')
password = kw.get('root_password')
if ldap and not identity.current.user.is_admin():
raise BX(_(u'Only admins can create LDAP groups'))
try:
group = Group.by_name(group_name)
except NoResultFound:
#validate
GroupFormSchema.fields['group_name'].to_python(group_name)
GroupFormSchema.fields['display_name'].to_python(display_name)
group = Group()
session.add(group)
group.record_activity(user=identity.current.user, service=u'XMLRPC',
field=u'Group', action=u'Created')
group.display_name = display_name
group.group_name = group_name
group.ldap = ldap
group.root_password = password
user = identity.current.user
if not ldap:
group.user_group_assocs.append(UserGroup(user=user, is_owner=True))
group.activity.append(GroupActivity(user, service=u'XMLRPC',
action=u'Added', field_name=u'User',
old_value=None, new_value=user.user_name))
group.activity.append(GroupActivity(user, service=u'XMLRPC',
action=u'Added', field_name=u'Owner',
old_value=None, new_value=user.user_name))
if group.ldap:
group.refresh_ldap_members()
return 'Group created: %s.' % group_name
else:
raise BX(_(u'Group already exists: %s.' % group_name))
def _new_group(self, group_id, display_name, group_name, ldap,
root_password):
user = identity.current.user
if ldap and not user.is_admin():
flash(_(u'Only admins can create LDAP groups'))
redirect('.')
try:
Group.by_name(group_name)
except NoResultFound:
pass
else:
flash(_(u"Group %s already exists." % group_name))
redirect(".")
group = Group()
session.add(group)
group.record_activity(user=user,
service=u'WEBUI',
field=u'Group',
action=u'Created')
group.display_name = display_name
group.group_name = group_name
group.ldap = ldap
if group.ldap:
group.refresh_ldap_members()
group.root_password = root_password
if not ldap: # LDAP groups don't have owners
group.user_group_assocs.append(UserGroup(user=user, is_owner=True))
group.activity.append(
GroupActivity(user,
service=u'WEBUI',
action=u'Added',
field_name=u'User',
old_value=None,
new_value=user.user_name))
group.activity.append(
GroupActivity(user,
service=u'WEBUI',
action=u'Added',
field_name=u'Owner',
old_value=None,
new_value=user.user_name))
return group
def test_group_modify_remove_member(self):
with session.begin():
user = data_setup.create_user()
self.group.add_member(user)
session.flush()
self.assert_(user in self.group.users)
mail_capture_thread.start_capturing()
out = run_client([
'bkr', 'group-modify', '--remove-member', user.user_name,
self.group.group_name
],
config=self.client_config)
with session.begin():
session.refresh(self.group)
group = Group.by_name(self.group.group_name)
self.assert_(
user.user_name not in [u.user_name for u in group.users])
self.check_notification(user, group, action='Removed')
with session.begin():
session.refresh(self.group)
group = Group.by_name(self.group.group_name)
self.assertEquals(group.activity[-1].action, u'Removed')
self.assertEquals(group.activity[-1].field_name, u'User')
self.assertEquals(group.activity[-1].user.user_id,
self.user.user_id)
self.assertEquals(group.activity[-1].old_value, user.user_name)
self.assertEquals(group.activity[-1].new_value, None)
self.assertEquals(group.activity[-1].service, u'HTTP')
try:
out = run_client([
'bkr', 'group-modify', '--remove-member', 'idontexist',
self.group.group_name
],
config=self.client_config)
self.fail('Must fail or die')
except ClientError, e:
self.assert_('User idontexist does not exist' in e.stderr_output,
e.stderr_output)
def test_remove_self_admin_group(self):
with session.begin():
user = data_setup.create_admin(password='******')
b = self.browser
login(b, user=user.user_name, password='******')
# admin should be in groups/mine
b.get(get_server_base() + 'groups/mine')
b.find_element_by_link_text('admin').click()
# remove self
b.find_element_by_xpath('//td[preceding-sibling::td[2]/text()="%s"]' % user.user_name)\
.find_element_by_link_text('Remove').click()
self.assertEquals(
b.find_element_by_class_name('flash').text,
'%s Removed' % user.user_name)
# admin should not be in groups/mine
b.get(get_server_base() + 'groups/mine')
check_group_search_results(b, absent=[Group.by_name(u'admin')])
logout(b)
# login as admin
login(b)
group = Group.by_name('admin')
group_users = group.users
# remove all other users from 'admin'
b.get(get_server_base() + 'groups/edit?group_id=1')
for usr in group_users:
if usr.user_id != 1:
b.find_element_by_xpath('//td[preceding-sibling::td[2]/text()="%s"]' % usr.user_name)\
.find_element_by_link_text('Remove').click()
self.assertEquals(
b.find_element_by_class_name('flash').text,
'%s Removed' % usr.user_name)
# attempt to remove admin user
b.find_element_by_xpath(
'//a[@href="removeUser?group_id=1&id=1"]').click()
self.assert_('Cannot remove member' in b.find_element_by_class_name(
'flash').text)
def test_group_description(self):
group_name = data_setup.unique_name(u'group%s')
description = 'This is a boring group'
out = run_client(['bkr', 'group-create',
'--description', description,
group_name])
self.assert_('Group created' in out, out)
with session.begin():
group = Group.by_name(group_name)
self.assertEquals(group.description, description)
def create(self, kw):
"""
Creates a new group.
The *kw* argument must be an XML-RPC structure (dict)
specifying the following keys:
'group_name'
Group name (maximum 16 characters)
'display_name'
Group display name
'description'
Group description
'ldap'
Populate users from LDAP (True/False)
Returns a message whether the group was successfully created or
raises an exception on failure.
"""
display_name = kw.get('display_name')
group_name = kw.get('group_name')
description = kw.get('description')
ldap = kw.get('ldap')
password = kw.get('root_password')
if ldap and not identity.current.user.is_admin():
raise BX(_(u'Only admins can create LDAP groups'))
if ldap and not config.get("identity.ldap.enabled", False):
raise BX(_(u'LDAP is not enabled'))
try:
group = Group.by_name(group_name)
except NoResultFound:
group = Group()
session.add(group)
group.record_activity(user=identity.current.user,
service=u'XMLRPC',
field=u'Group',
action=u'Created')
group.display_name = display_name
group.group_name = group_name
group.description = description
group.root_password = password
if ldap:
group.membership_type = GroupMembershipType.ldap
group.refresh_ldap_members()
else:
group.add_member(identity.current.user,
is_owner=True,
service=u'XMLRPC',
agent=identity.current.user)
return 'Group created: %s.' % group_name
else:
raise BX(_(u'Group already exists: %s.' % group_name))
def test_group_create(self):
group_name = data_setup.unique_name('group%s')
display_name = 'My Group'
out = run_client([
'bkr', 'group-create', '--display-name', display_name, group_name
])
self.assert_('Group created' in out, out)
with session.begin():
group = Group.by_name(group_name)
self.assertEquals(group.display_name, display_name)
self.assertEquals(group.activity[-1].action, u'Added')
self.assertEquals(group.activity[-1].field_name, u'Owner')
self.assertEquals(group.activity[-1].new_value,
data_setup.ADMIN_USER)
self.assertEquals(group.activity[-1].service, u'XMLRPC')
self.assertEquals(group.activity[-2].action, u'Added')
self.assertEquals(group.activity[-2].field_name, u'User')
self.assertEquals(group.activity[-2].new_value,
data_setup.ADMIN_USER)
self.assertEquals(group.activity[-2].service, u'XMLRPC')
self.assertEquals(group.activity[-3].action, u'Created')
self.assertEquals(group.activity[-3].service, u'XMLRPC')
group_name = data_setup.unique_name('group%s')
out = run_client(['bkr', 'group-create', group_name])
self.assert_('Group created' in out, out)
with session.begin():
group = Group.by_name(group_name)
self.assertEqual(group.group_name, group_name)
self.assertEqual(group.display_name, group_name)
group_name = data_setup.unique_name('group%s')
try:
out = run_client(['bkr', 'group-create', group_name, group_name])
self.fail('Must fail or die')
except ClientError, e:
self.assert_(
'Exactly one group name must be specified' in e.stderr_output,
e.stderr_output)
def test_group_modify_remove_member(self):
with session.begin():
user = data_setup.create_user()
self.group.add_member(user)
session.flush()
self.assert_(user in self.group.users)
mail_capture_thread.start_capturing()
out = run_client(['bkr', 'group-modify',
'--remove-member', user.user_name,
self.group.group_name],
config = self.client_config)
with session.begin():
session.refresh(self.group)
group = Group.by_name(self.group.group_name)
self.assert_(user.user_name not in
[u.user_name for u in group.users])
self.check_notification(user, group, action='Removed')
with session.begin():
session.refresh(self.group)
group = Group.by_name(self.group.group_name)
self.assertEquals(group.activity[-1].action, u'Removed')
self.assertEquals(group.activity[-1].field_name, u'User')
self.assertEquals(group.activity[-1].user.user_id,
self.user.user_id)
self.assertEquals(group.activity[-1].old_value, user.user_name)
self.assertEquals(group.activity[-1].new_value, None)
self.assertEquals(group.activity[-1].service, u'HTTP')
try:
out = run_client(['bkr', 'group-modify',
'--remove-member', 'idontexist',
self.group.group_name],
config = self.client_config)
self.fail('Must fail or die')
except ClientError, e:
self.assert_('User idontexist does not exist' in
e.stderr_output, e.stderr_output)
def test_cannot_delete_protected_group_by_admin(self):
with session.begin():
user = data_setup.create_admin(password='******')
admin_group = Group.by_name('admin')
b = self.browser
login(b, user=user.user_name, password='******')
b.get(get_server_base() + 'groups/')
self.assert_('Delete' not in b.find_element_by_xpath(
"//tr[(td[1]/a[text()='%s'])]" % admin_group.group_name).text)
b.get(get_server_base() + 'groups/mine')
self.assert_('Delete' not in b.find_element_by_xpath(
"//tr[(td[1]/a[text()='%s'])]" % admin_group.group_name).text)
