def test_adds_missing_accesspolicyartifacts(self): # reconcile_access_for_artifact adds missing links. product = self.factory.makeProduct() bug = self.factory.makeBug(target=product) reconcile_access_for_artifact(bug, InformationType.USERDATA, []) self.assertPoliciesForBug([], bug) reconcile_access_for_artifact(bug, InformationType.USERDATA, [product]) self.assertPoliciesForBug([(product, InformationType.USERDATA)], bug)
def test_creates_missing_accessartifact(self): # reconcile_access_for_artifact creates an AccessArtifact for a # private artifact if there isn't one already. bug = self.factory.makeBug() self.assertTrue( getUtility(IAccessArtifactSource).find([bug]).is_empty()) reconcile_access_for_artifact(bug, InformationType.USERDATA, []) self.assertFalse( getUtility(IAccessArtifactSource).find([bug]).is_empty())
def test_adds_missing_accesspolicyartifacts(self): # reconcile_access_for_artifact adds missing links. product = self.factory.makeProduct() bug = self.factory.makeBug(target=product) reconcile_access_for_artifact(bug, InformationType.USERDATA, []) self.assertPoliciesForBug([], bug) reconcile_access_for_artifact( bug, InformationType.USERDATA, [product]) self.assertPoliciesForBug([(product, InformationType.USERDATA)], bug)
def test_creates_missing_accessartifact(self): # reconcile_access_for_artifact creates an AccessArtifact for a # private artifact if there isn't one already. bug = self.factory.makeBug() self.assertTrue( getUtility(IAccessArtifactSource).find([bug]).is_empty()) reconcile_access_for_artifact(bug, InformationType.USERDATA, []) self.assertFalse( getUtility(IAccessArtifactSource).find([bug]).is_empty())
def test_removes_extra_accessartifact(self): # reconcile_access_for_artifact removes an AccessArtifact for a # public artifact if there's one left over. bug = self.factory.makeBug() reconcile_access_for_artifact(bug, InformationType.USERDATA, []) self.assertFalse( getUtility(IAccessArtifactSource).find([bug]).is_empty()) reconcile_access_for_artifact(bug, InformationType.PUBLIC, []) self.assertTrue( getUtility(IAccessArtifactSource).find([bug]).is_empty())
def test_removes_extra_accessartifact(self): # reconcile_access_for_artifact removes an AccessArtifact for a # public artifact if there's one left over. bug = self.factory.makeBug() reconcile_access_for_artifact(bug, InformationType.USERDATA, []) self.assertFalse( getUtility(IAccessArtifactSource).find([bug]).is_empty()) reconcile_access_for_artifact(bug, InformationType.PUBLIC, []) self.assertTrue( getUtility(IAccessArtifactSource).find([bug]).is_empty())
def test_removes_extra_accesspolicyartifacts(self): # reconcile_access_for_artifact removes excess links. bug = self.factory.makeBug() product = self.factory.makeProduct() other_product = self.factory.makeProduct() reconcile_access_for_artifact(bug, InformationType.USERDATA, [product, other_product]) self.assertPoliciesForBug([(product, InformationType.USERDATA), (other_product, InformationType.USERDATA)], bug) reconcile_access_for_artifact(bug, InformationType.USERDATA, [product]) self.assertPoliciesForBug([(product, InformationType.USERDATA)], bug)
def test_removes_extra_accesspolicyartifacts(self): # reconcile_access_for_artifact removes excess links. bug = self.factory.makeBug() product = self.factory.makeProduct() other_product = self.factory.makeProduct() reconcile_access_for_artifact( bug, InformationType.USERDATA, [product, other_product]) self.assertPoliciesForBug( [(product, InformationType.USERDATA), (other_product, InformationType.USERDATA)], bug) reconcile_access_for_artifact( bug, InformationType.USERDATA, [product]) self.assertPoliciesForBug([(product, InformationType.USERDATA)], bug)
def transitionToInformationType(self, information_type, who): """See ISpecification.""" # avoid circular imports. from lp.registry.model.accesspolicy import ( reconcile_access_for_artifact, ) if self.information_type == information_type: return False if information_type not in self.getAllowedInformationTypes(who): raise CannotChangeInformationType("Forbidden by project policy.") self.information_type = information_type reconcile_access_for_artifact(self, information_type, [self.target]) if information_type in PRIVATE_INFORMATION_TYPES and self.subscribers: # Grant the subscribers access if they do not have a # policy grant. service = getUtility(IService, 'sharing') blind_subscribers = service.getPeopleWithoutAccess( self, self.subscribers) if len(blind_subscribers): service.ensureAccessGrants(blind_subscribers, who, specifications=[self], ignore_permissions=True) return True
def transitionToInformationType(self, information_type, who): """See ISpecification.""" # avoid circular imports. from lp.registry.model.accesspolicy import ( reconcile_access_for_artifact, ) if self.information_type == information_type: return False if information_type not in self.getAllowedInformationTypes(who): raise CannotChangeInformationType("Forbidden by project policy.") self.information_type = information_type reconcile_access_for_artifact(self, information_type, [self.target]) if information_type in PRIVATE_INFORMATION_TYPES and self.subscribers: # Grant the subscribers access if they do not have a # policy grant. service = getUtility(IService, 'sharing') blind_subscribers = service.getPeopleWithoutAccess( self, self.subscribers) if len(blind_subscribers): service.ensureAccessGrants( blind_subscribers, who, specifications=[self], ignore_permissions=True) return True
def _assert_artifact_change_unsubscribes(self, change_callback, configure_test): # Subscribers are unsubscribed if the artifact becomes invisible # due to a change in information_type. product = self.factory.makeProduct( specification_sharing_policy=( SpecificationSharingPolicy.EMBARGOED_OR_PROPRIETARY)) owner = self.factory.makePerson() [policy] = getUtility(IAccessPolicySource).find( [(product, InformationType.USERDATA)]) # The policy grantees will lose access. policy_indirect_grantee = self.factory.makePerson() policy_team_grantee = self.factory.makeTeam( membership_policy=TeamMembershipPolicy.RESTRICTED, members=[policy_indirect_grantee]) self.factory.makeAccessPolicyGrant(policy, policy_team_grantee, owner) login_person(owner) bug = self.factory.makeBug( owner=owner, target=product, information_type=InformationType.USERDATA) branch = self.factory.makeBranch( owner=owner, product=product, information_type=InformationType.USERDATA) specification = self.factory.makeSpecification( owner=owner, product=product, information_type=InformationType.PROPRIETARY) # The artifact grantees will not lose access when the job is run. artifact_indirect_grantee = self.factory.makePerson() artifact_team_grantee = self.factory.makeTeam( membership_policy=TeamMembershipPolicy.RESTRICTED, members=[artifact_indirect_grantee]) bug.subscribe(artifact_indirect_grantee, owner) branch.subscribe(artifact_indirect_grantee, BranchSubscriptionNotificationLevel.NOEMAIL, None, CodeReviewNotificationLevel.NOEMAIL, owner) # Subscribing somebody to a specification does not automatically # create an artifact grant. spec_artifact = self.factory.makeAccessArtifact(specification) self.factory.makeAccessArtifactGrant( spec_artifact, artifact_indirect_grantee) specification.subscribe(artifact_indirect_grantee, owner) # pick one of the concrete artifacts (bug, branch or spec) # and subscribe the teams and persons. concrete_artifact, get_pillars, get_subscribers = configure_test( bug, branch, specification, policy_team_grantee, policy_indirect_grantee, artifact_team_grantee, owner) # Subscribing policy_team_grantee has created an artifact grant so we # need to revoke that to test the job. artifact = self.factory.makeAccessArtifact(concrete=concrete_artifact) getUtility(IAccessArtifactGrantSource).revokeByArtifact( [artifact], [policy_team_grantee]) # policy grantees are subscribed because the job has not been run yet. subscribers = get_subscribers(concrete_artifact) self.assertIn(policy_team_grantee, subscribers) self.assertIn(policy_indirect_grantee, subscribers) # Change artifact attributes so that it can become inaccessible for # some users. change_callback(concrete_artifact) reconcile_access_for_artifact( concrete_artifact, concrete_artifact.information_type, get_pillars(concrete_artifact)) getUtility(IRemoveArtifactSubscriptionsJobSource).create( owner, [concrete_artifact]) with block_on_job(self): transaction.commit() # Check the result. Policy grantees will be unsubscribed. subscribers = get_subscribers(concrete_artifact) self.assertNotIn(policy_team_grantee, subscribers) self.assertNotIn(policy_indirect_grantee, subscribers) self.assertIn(artifact_team_grantee, subscribers) self.assertIn(artifact_indirect_grantee, bug.getDirectSubscribers()) self.assertIn(artifact_indirect_grantee, branch.subscribers) self.assertIn(artifact_indirect_grantee, specification.subscribers)
def _assert_artifact_change_unsubscribes(self, change_callback, configure_test): # Subscribers are unsubscribed if the artifact becomes invisible # due to a change in information_type. product = self.factory.makeProduct(specification_sharing_policy=( SpecificationSharingPolicy.EMBARGOED_OR_PROPRIETARY)) owner = self.factory.makePerson() [policy] = getUtility(IAccessPolicySource).find([ (product, InformationType.USERDATA) ]) # The policy grantees will lose access. policy_indirect_grantee = self.factory.makePerson() policy_team_grantee = self.factory.makeTeam( membership_policy=TeamMembershipPolicy.RESTRICTED, members=[policy_indirect_grantee]) self.factory.makeAccessPolicyGrant(policy, policy_team_grantee, owner) login_person(owner) bug = self.factory.makeBug(owner=owner, target=product, information_type=InformationType.USERDATA) branch = self.factory.makeBranch( owner=owner, product=product, information_type=InformationType.USERDATA) specification = self.factory.makeSpecification( owner=owner, product=product, information_type=InformationType.PROPRIETARY) # The artifact grantees will not lose access when the job is run. artifact_indirect_grantee = self.factory.makePerson() artifact_team_grantee = self.factory.makeTeam( membership_policy=TeamMembershipPolicy.RESTRICTED, members=[artifact_indirect_grantee]) bug.subscribe(artifact_indirect_grantee, owner) branch.subscribe(artifact_indirect_grantee, BranchSubscriptionNotificationLevel.NOEMAIL, None, CodeReviewNotificationLevel.NOEMAIL, owner) # Subscribing somebody to a specification does not automatically # create an artifact grant. spec_artifact = self.factory.makeAccessArtifact(specification) self.factory.makeAccessArtifactGrant(spec_artifact, artifact_indirect_grantee) specification.subscribe(artifact_indirect_grantee, owner) # pick one of the concrete artifacts (bug, branch or spec) # and subscribe the teams and persons. concrete_artifact, get_pillars, get_subscribers = configure_test( bug, branch, specification, policy_team_grantee, policy_indirect_grantee, artifact_team_grantee, owner) # Subscribing policy_team_grantee has created an artifact grant so we # need to revoke that to test the job. artifact = self.factory.makeAccessArtifact(concrete=concrete_artifact) getUtility(IAccessArtifactGrantSource).revokeByArtifact( [artifact], [policy_team_grantee]) # policy grantees are subscribed because the job has not been run yet. subscribers = get_subscribers(concrete_artifact) self.assertIn(policy_team_grantee, subscribers) self.assertIn(policy_indirect_grantee, subscribers) # Change artifact attributes so that it can become inaccessible for # some users. change_callback(concrete_artifact) reconcile_access_for_artifact(concrete_artifact, concrete_artifact.information_type, get_pillars(concrete_artifact)) getUtility(IRemoveArtifactSubscriptionsJobSource).create( owner, [concrete_artifact]) with block_on_job(self): transaction.commit() # Check the result. Policy grantees will be unsubscribed. subscribers = get_subscribers(concrete_artifact) self.assertNotIn(policy_team_grantee, subscribers) self.assertNotIn(policy_indirect_grantee, subscribers) self.assertIn(artifact_team_grantee, subscribers) self.assertIn(artifact_indirect_grantee, bug.getDirectSubscribers()) self.assertIn(artifact_indirect_grantee, branch.subscribers) self.assertIn(artifact_indirect_grantee, specification.subscribers)