def save_group_permissions(self, **kw):
try:
permission_name = kw['permissions']['text']
except KeyError:
log.exception('Permission not submitted correctly')
response.status = 403
return ['Permission not submitted correctly']
try:
permission = Permission.by_name(permission_name)
except NoResultFound:
log.exception('Invalid permission: %s' % permission_name)
response.status = 403
return ['Invalid permission value']
try:
group_id = kw['group_id']
except KeyError:
log.exception('Group id not submitted')
response.status = 403
return ['No group id given']
try:
group = Group.by_id(group_id)
except NoResultFound:
log.exception('Group id %s is not a valid group id' % group_id)
response.status = 403
return ['Invalid Group Id']
group = Group.by_id(group_id)
if permission not in group.permissions:
group.permissions.append(permission)
else:
response.status = 403
return ['%s already exists in group %s' %
(permission.permission_name, group.group_name)]
return {'name':permission_name, 'id':permission.permission_id}
def revoke_owner(self, group_id=None, id=None, **kw):
if group_id is not None and id is not None:
group = Group.by_id(group_id)
user = User.by_id(id)
service = 'WEBUI'
else:
group = Group.by_name(kw['group_name'])
user = User.by_user_name(kw['member_name'])
service = 'XMLRPC'
if group.membership_type == GroupMembershipType.ldap:
raise GroupOwnerModificationForbidden('An LDAP group does not have an owner')
if not group.can_edit(identity.current.user):
raise GroupOwnerModificationForbidden('You are not an owner of group %s' % group)
if user not in group.users:
raise GroupOwnerModificationForbidden('User is not a group member')
if len(group.owners())==1 and not identity.current.user.is_admin():
raise GroupOwnerModificationForbidden('Cannot remove the only owner')
else:
group.revoke_ownership(user=user, agent=identity.current.user, service=service)
# hack to return the user removing this owner
# so that if the user was logged in as a group
# owner, he/she can be redirected appropriately
return str(identity.current.user.user_id)
def grant_owner(self, group_id=None, id=None, **kw):
if group_id is not None and id is not None:
group = Group.by_id(group_id)
user = User.by_id(id)
service = 'WEBUI'
else:
group = Group.by_name(kw['group_name'])
user = User.by_user_name(kw['member_name'])
service = 'XMLRPC'
if group.ldap:
raise GroupOwnerModificationForbidden('An LDAP group does not have an owner')
if not group.can_edit(identity.current.user):
raise GroupOwnerModificationForbidden('You are not an owner of the group %s' % group)
if user not in group.users:
raise GroupOwnerModificationForbidden('User is not a group member')
else:
for assoc in group.user_group_assocs:
if assoc.user == user:
if not assoc.is_owner:
assoc.is_owner = True
group.record_activity(user=identity.current.user, service=service,
field=u'Owner', action='Added',
old=u'', new=user.user_name)
return ''
def revoke_owner(self, group_id=None, id=None, **kw):
if group_id is not None and id is not None:
group = Group.by_id(group_id)
user = User.by_id(id)
service = 'WEBUI'
else:
group = Group.by_name(kw['group_name'])
user = User.by_user_name(kw['member_name'])
service = 'XMLRPC'
if group.ldap:
raise GroupOwnerModificationForbidden('An LDAP group does not have an owner')
if not group.can_edit(identity.current.user):
raise GroupOwnerModificationForbidden('You are not an owner of group %s' % group)
if user not in group.users:
raise GroupOwnerModificationForbidden('User is not a group member')
if len(group.owners())==1 and not identity.current.user.is_admin():
raise GroupOwnerModificationForbidden('Cannot remove the only owner')
else:
for assoc in group.user_group_assocs:
if assoc.user == user:
if assoc.is_owner:
assoc.is_owner = False
group.record_activity(user=identity.current.user, service=service,
field=u'Owner', action='Removed',
old=user.user_name, new=u'')
# hack to return the user removing this owner
# so that if the user was logged in as a group
# owner, he/she can be redirected appropriately
return str(identity.current.user.user_id)
def grant_owner(self, group_id=None, id=None, **kw):
if group_id is not None and id is not None:
group = Group.by_id(group_id)
user = User.by_id(id)
service = 'WEBUI'
else:
group = Group.by_name(kw['group_name'])
user = User.by_user_name(kw['member_name'])
service = 'XMLRPC'
if group.ldap:
raise GroupOwnerModificationForbidden(
'An LDAP group does not have an owner')
if not group.can_edit(identity.current.user):
raise GroupOwnerModificationForbidden(
'You are not an owner of the group %s' % group)
if user not in group.users:
raise GroupOwnerModificationForbidden('User is not a group member')
else:
for assoc in group.user_group_assocs:
if assoc.user == user:
if not assoc.is_owner:
assoc.is_owner = True
group.record_activity(user=identity.current.user,
service=service,
field=u'Owner',
action='Added',
old=u'',
new=user.user_name)
return ''
def revoke_owner(self, group_id=None, id=None, **kw):
if group_id is not None and id is not None:
group = Group.by_id(group_id)
user = User.by_id(id)
service = 'WEBUI'
else:
group = Group.by_name(kw['group_name'])
user = User.by_user_name(kw['member_name'])
service = 'XMLRPC'
if group.membership_type == GroupMembershipType.ldap:
raise GroupOwnerModificationForbidden(
'An LDAP group does not have an owner')
if not group.can_edit(identity.current.user):
raise GroupOwnerModificationForbidden(
'You are not an owner of group %s' % group)
if user not in group.users:
raise GroupOwnerModificationForbidden('User is not a group member')
if len(group.owners()) == 1 and not identity.current.user.is_admin():
raise GroupOwnerModificationForbidden(
'Cannot remove the only owner')
else:
group.revoke_ownership(user=user,
agent=identity.current.user,
service=service)
# hack to return the user removing this owner
# so that if the user was logged in as a group
# owner, he/she can be redirected appropriately
return str(identity.current.user.user_id)
def grant_owner(self, group_id=None, id=None, **kw):
if group_id is not None and id is not None:
group = Group.by_id(group_id)
user = User.by_id(id)
service = 'WEBUI'
else:
group = Group.by_name(kw['group_name'])
user = User.by_user_name(kw['member_name'])
service = 'XMLRPC'
if group.membership_type == GroupMembershipType.ldap:
raise GroupOwnerModificationForbidden(
'An LDAP group does not have an owner')
if not group.can_edit(identity.current.user):
raise GroupOwnerModificationForbidden(
'You are not an owner of the group %s' % group)
if user not in group.users:
raise GroupOwnerModificationForbidden('User is not a group member')
else:
group.grant_ownership(user=user,
agent=identity.current.user,
service=service)
return ''
def setUp(self):
self.selenium = self.get_selenium()
self.password = '******'
# create users
self.user_1 = data_setup.create_user(password=self.password)
self.user_2 = data_setup.create_user(password=self.password)
self.user_3 = data_setup.create_user(password=self.password)
# create admin users
self.admin_1 = data_setup.create_user(password=self.password)
self.admin_1.groups.append(Group.by_name(u'admin'))
self.admin_2 = data_setup.create_user(password=self.password)
self.admin_2.groups.append(Group.by_name(u'admin'))
# create systems
self.system_1 = data_setup.create_system(shared=True)
self.system_2 = data_setup.create_system(shared=True)
self.system_3 = data_setup.create_system(shared=False,
owner=self.user_3)
# create group and add users/systems to it
self.group_1 = data_setup.create_group()
self.user_3.groups.append(self.group_1)
self.admin_2.groups.append(self.group_1)
self.system_2.groups.append(self.group_1)
lc = data_setup.create_labcontroller()
self.system_1.lab_controller = lc
self.system_2.lab_controller = lc
self.system_3.lab_controller = lc
self.selenium.start()
def test_group_create(self):
group_name = data_setup.unique_name(u'group%s')
display_name = u'My Group'
out = run_client([
'bkr', 'group-create', '--display-name', display_name, group_name
])
self.assert_('Group created' in out, out)
with session.begin():
group = Group.by_name(group_name)
self.assertEquals(group.display_name, display_name)
self.assertEquals(group.activity[-1].action, u'Added')
self.assertEquals(group.activity[-1].field_name, u'Owner')
self.assertEquals(group.activity[-1].new_value,
data_setup.ADMIN_USER)
self.assertEquals(group.activity[-1].service, u'HTTP')
self.assertEquals(group.activity[-2].action, u'Added')
self.assertEquals(group.activity[-2].field_name, u'User')
self.assertEquals(group.activity[-2].new_value,
data_setup.ADMIN_USER)
self.assertEquals(group.activity[-2].service, u'HTTP')
self.assertEquals(group.activity[-3].action, u'Created')
self.assertEquals(group.activity[-3].service, u'HTTP')
group_name = data_setup.unique_name(u'group%s')
out = run_client(['bkr', 'group-create', group_name])
self.assert_('Group created' in out, out)
with session.begin():
group = Group.by_name(group_name)
self.assertEqual(group.group_name, group_name)
self.assertEqual(group.display_name, group_name)
group_name = data_setup.unique_name(u'group%s')
try:
_ = run_client(['bkr', 'group-create', group_name, group_name])
self.fail('Must fail or die')
except ClientError as e:
self.assert_(
'Exactly one group name must be specified' in e.stderr_output,
e.stderr_output)
try:
_ = run_client(
['bkr', 'group-create', 'areallylonggroupname' * 20])
self.fail('Must fail or die')
except ClientError as e:
self.assertIn(
'Group name must be not more than 255 characters long',
e.stderr_output)
try:
_ = run_client([
'bkr', 'group-create', '--display-name',
'A really long group display name' * 20, 'agroup'
])
self.fail('Must fail or die')
except ClientError as e:
self.assertIn(
'Group display name must be not more than 255 characters long',
e.stderr_output)
def test_group_modify_add_member(self):
with session.begin():
user = data_setup.create_user()
mail_capture_thread.start_capturing()
out = run_client(['bkr', 'group-modify',
'--add-member', user.user_name,
self.group.group_name],
config = self.client_config)
with session.begin():
session.refresh(self.group)
group = Group.by_name(self.group.group_name)
self.assert_(user.user_name in
[u.user_name for u in group.users])
self.check_notification(user, group, action='Added')
try:
out = run_client(['bkr', 'group-modify',
'--add-member', 'idontexist',
self.group.group_name],
config = self.client_config)
self.fail('Must fail or die')
except ClientError as e:
self.assert_('User idontexist does not exist' in
e.stderr_output, e.stderr_output)
try:
out = run_client(['bkr', 'group-modify',
'--add-member', user.user_name,
self.group.group_name],
config = self.client_config)
self.fail('Must fail or die')
except ClientError as e:
self.assert_('User %s is already a member of group %s'
% (user.user_name, self.group.group_name)
in e.stderr_output, e.stderr_output)
with session.begin():
session.refresh(self.group)
group = Group.by_name(self.group.group_name)
self.assertEquals(group.activity[-1].action, u'Added')
self.assertEquals(group.activity[-1].field_name, u'User')
self.assertEquals(group.activity[-1].user.user_id,
self.user.user_id)
self.assertEquals(group.activity[-1].new_value, user.user_name)
self.assertEquals(group.activity[-1].service, u'HTTP')
try:
out = run_client(['bkr', 'group-modify',
'--add-member', user.user_name,
self.fake_ldap_group.group_name])
self.fail('Must fail or die')
except ClientError as e:
self.assert_('Cannot edit membership of group %s'
% self.fake_ldap_group.group_name
in e.stderr_output,e.stderr_output)
def create_group():
"""
Creates a new user group in Beaker. The request must be
:mimetype:`application/json`.
:jsonparam string group_name: Symbolic name for the group.
:jsonparam string display_name: Human-friendly display name for the group.
:jsonparam string description: Description of the group.
:jsonparam string root_password: Optional root password for group jobs.
If this is not set, group jobs will use the root password preferences of
the job submitter.
:jsonparam string membership_type: Specifies how group membership is populated.
Possible values are:
* normal: Group is initially empty, members are explicitly added and removed by
group owner.
* ldap: Membership is populated from the LDAP group with the same group name.
* inverted: Group contains all Beaker users *except* users who have been explicitly
excluded by the group owner.
:status 201: The group was successfully created.
"""
user = identity.current.user
data = read_json_request(request)
if 'group_name' not in data:
raise BadRequest400('Missing group_name key')
if 'display_name' not in data:
raise BadRequest400('Missing display_name key')
# for backwards compatibility
if data.pop('ldap', False):
data['membership_type'] = 'ldap'
try:
Group.by_name(data['group_name'])
except NoResultFound:
pass
else:
raise Conflict409("Group '%s' already exists" % data['group_name'])
with convert_internal_errors():
group = Group.lazy_create(group_name=data['group_name'])
group.display_name = data['display_name']
group.description = data.get('description')
group.root_password = data.get('root_password')
session.add(group)
group.record_activity(user=user,
service=u'HTTP',
field=u'Group',
action=u'Created')
if data.get('membership_type'):
group.membership_type = GroupMembershipType.from_string(
data['membership_type'])
if group.membership_type == GroupMembershipType.ldap:
group.refresh_ldap_members()
else: # LDAP groups don't have any owners
group.add_member(user, is_owner=True, agent=identity.current.user)
response = jsonify(group.__json__())
response.status_code = 201
response.headers.add('Location', absolute_url(group.href))
return response
def by_name(self, input,*args,**kw):
input = input.lower()
if 'anywhere' in kw:
search = Group.list_by_name(input, find_anywhere=True)
else:
search = Group.list_by_name(input)
groups = [match.group_name for match in search]
return dict(matches=groups)
def by_name(self, input, *args, **kw):
input = input.lower()
if 'anywhere' in kw:
search = Group.list_by_name(input, find_anywhere=True)
else:
search = Group.list_by_name(input)
groups = [match.group_name for match in search]
return dict(matches=groups)
def create(self, kw):
"""
Creates a new group.
The *kw* argument must be an XML-RPC structure (dict)
specifying the following keys:
'group_name'
Group name (maximum 16 characters)
'display_name'
Group display name
'ldap'
Populate users from LDAP (True/False)
Returns a message whether the group was successfully created or
raises an exception on failure.
"""
display_name = kw.get('display_name')
group_name = kw.get('group_name')
ldap = kw.get('ldap')
password = kw.get('root_password')
if ldap and not identity.current.user.is_admin():
raise BX(_(u'Only admins can create LDAP groups'))
try:
group = Group.by_name(group_name)
except NoResultFound:
#validate
GroupFormSchema.fields['group_name'].to_python(group_name)
GroupFormSchema.fields['display_name'].to_python(display_name)
group = Group()
session.add(group)
group.record_activity(user=identity.current.user, service=u'XMLRPC',
field=u'Group', action=u'Created')
group.display_name = display_name
group.group_name = group_name
group.ldap = ldap
group.root_password = password
user = identity.current.user
if not ldap:
group.user_group_assocs.append(UserGroup(user=user, is_owner=True))
group.activity.append(GroupActivity(user, service=u'XMLRPC',
action=u'Added', field_name=u'User',
old_value=None, new_value=user.user_name))
group.activity.append(GroupActivity(user, service=u'XMLRPC',
action=u'Added', field_name=u'Owner',
old_value=None, new_value=user.user_name))
if group.ldap:
group.refresh_ldap_members()
return 'Group created: %s.' % group_name
else:
raise BX(_(u'Group already exists: %s.' % group_name))
def create_group():
"""
Creates a new user group in Beaker. The request must be
:mimetype:`application/json`.
:jsonparam string group_name: Symbolic name for the group.
:jsonparam string display_name: Human-friendly display name for the group.
:jsonparam string description: Description of the group.
:jsonparam string root_password: Optional root password for group jobs.
If this is not set, group jobs will use the root password preferences of
the job submitter.
:jsonparam string membership_type: Specifies how group membership is populated.
Possible values are:
* normal: Group is initially empty, members are explicitly added and removed by
group owner.
* ldap: Membership is populated from the LDAP group with the same group name.
* inverted: Group contains all Beaker users *except* users who have been explicitly
excluded by the group owner.
:status 201: The group was successfully created.
"""
user = identity.current.user
data = read_json_request(request)
if 'group_name' not in data:
raise BadRequest400('Missing group_name key')
if 'display_name' not in data:
raise BadRequest400('Missing display_name key')
# for backwards compatibility
if data.pop('ldap', False):
data['membership_type'] = 'ldap'
try:
Group.by_name(data['group_name'])
except NoResultFound:
pass
else:
raise Conflict409("Group '%s' already exists" % data['group_name'])
with convert_internal_errors():
group = Group.lazy_create(group_name=data['group_name'])
group.display_name = data['display_name']
group.description = data.get('description')
group.root_password = data.get('root_password')
session.add(group)
group.record_activity(user=user, service=u'HTTP',
field=u'Group', action=u'Created')
if data.get('membership_type'):
group.membership_type = GroupMembershipType.from_string(
data['membership_type'])
if group.membership_type == GroupMembershipType.ldap:
group.refresh_ldap_members()
else: # LDAP groups don't have any owners
group.add_member(user, is_owner=True, agent=identity.current.user)
response = jsonify(group.__json__())
response.status_code = 201
response.headers.add('Location', absolute_url(group.href))
return response
def test_remove_user_from_owning_group(self):
with session.begin():
user = data_setup.create_user(password='******')
group_name = data_setup.unique_name('AAAAAA%s')
display_name = data_setup.unique_name('Group Display Name %s')
b = self.browser
login(b, user=self.user.user_name, password='******')
b.get(get_server_base() + 'groups/mine')
b.find_element_by_link_text('Add').click()
b.find_element_by_xpath('//input[@id="Group_display_name"]').send_keys(
display_name)
b.find_element_by_xpath('//input[@id="Group_group_name"]').send_keys(
group_name)
b.find_element_by_id('Group').submit()
b.find_element_by_xpath('//title[text()="My Groups"]')
b.find_element_by_link_text(group_name).click()
# add an user
b.find_element_by_xpath(
'//input[@id="GroupUser_user_text"]').send_keys(user.user_name)
b.find_element_by_id('GroupUser').submit()
self.mail_capture.captured_mails[:] = []
group_id = Group.by_name(group_name).group_id
username = user.user_name
user_id = user.user_id
b.find_element_by_xpath('//td[preceding-sibling::td[2]/text()="%s"]' % username)\
.find_element_by_link_text('Remove').click()
self.assertEquals(
b.find_element_by_class_name('flash').text,
'%s Removed' % username)
with session.begin():
group = Group.by_name(group_name)
self.check_notification(user, group, action='Removed')
# remove self when I am the only owner of the group
b.find_element_by_xpath('//td[preceding-sibling::td[2]/text()="%s"]' % self.user.user_name)\
.find_element_by_link_text('Remove').click()
self.assert_('Cannot remove member' in b.find_element_by_class_name(
'flash').text)
# admin should be able to remove an owner, even if only one
logout(b)
#login back as admin
login(b)
b.get(get_server_base() + 'groups/edit?group_id=%s' % group_id)
b.find_element_by_xpath('//td[preceding-sibling::td[2]/text()="%s"]' % self.user.user_name)\
.find_element_by_link_text('Remove').click()
self.assert_(
'%s Removed' %
self.user.user_name in b.find_element_by_class_name('flash').text)
def test_group_modify_grant_owner(self):
with session.begin():
user1 = data_setup.create_user()
self.group.add_member(user1)
user2 = data_setup.create_user()
self.group.add_member(user2)
user3 = data_setup.create_user()
out = run_client([
'bkr', 'group-modify', '--grant-owner', user1.user_name,
'--grant-owner', user2.user_name, self.group.group_name
],
config=self.client_config)
with session.begin():
session.refresh(self.group)
group = Group.by_name(self.group.group_name)
self.assert_(user1.user_id in [u.user_id for u in group.owners()])
self.assert_(user2.user_id in [u.user_id for u in group.owners()])
self.assertEquals(
Activity.query.filter_by(service=u'HTTP',
field_name=u'Owner',
action=u'Added',
new_value=user2.user_name).count(), 1)
group = Group.by_name(group.group_name)
self.assertEquals(group.activity[-1].action, u'Added')
self.assertEquals(group.activity[-1].field_name, u'Owner')
self.assertEquals(group.activity[-1].new_value, user2.user_name)
self.assertEquals(group.activity[-1].service, u'HTTP')
# If the user is not a group member, add the user into the members list
# first and then grant the group ownership.
out = run_client([
'bkr', 'group-modify', '--grant-owner', user3.user_name,
self.group.group_name
],
config=self.client_config)
with session.begin():
session.refresh(self.group)
group = Group.by_name(self.group.group_name)
self.assertIn(user3, group.users)
self.assertTrue(group.has_owner(user3))
try:
out = run_client([
'bkr', 'group-modify', '--grant-owner', user3.user_name,
self.fake_ldap_group.group_name
],
config=self.client_config)
self.fail('Must fail or die')
except ClientError as e:
self.assert_('Cannot edit ownership of group' in e.stderr_output,
e.stderr_output)
def test_adds_existing_user_to_admin_group(self):
with session.begin():
admin_group = Group.by_name(u'admin')
existing_user = data_setup.create_user()
self.assertNotIn(admin_group, existing_user.groups)
run_command('init.py', 'beaker-init', ['--user', existing_user.user_name])
with session.begin():
admin_group = Group.by_name(u'admin')
existing_user = User.query.get(existing_user.user_id)
self.assertIn(admin_group, existing_user.groups)
# run the same thing again, should have no effect but should not break
run_command('init.py', 'beaker-init', ['--user', existing_user.user_name])
def test_adds_existing_user_to_admin_group(self):
with session.begin():
admin_group = Group.by_name(u'admin')
existing_user = data_setup.create_user()
self.assertNotIn(admin_group, existing_user.groups)
populate_db(user_name=existing_user.user_name)
with session.begin():
admin_group = Group.by_name(u'admin')
existing_user = User.query.get(existing_user.user_id)
self.assertIn(admin_group, existing_user.groups)
# run the same thing again, should have no effect but should not break
populate_db(user_name=existing_user.user_name)
def test_adds_existing_user_to_admin_group(self):
with session.begin():
admin_group = Group.by_name(u'admin')
existing_user = data_setup.create_user()
self.assertNotIn(admin_group, existing_user.groups)
populate_db(user_name=existing_user.user_name)
with session.begin():
admin_group = Group.by_name(u'admin')
existing_user = User.query.get(existing_user.user_id)
self.assertIn(admin_group, existing_user.groups)
# run the same thing again, should have no effect but should not break
populate_db(user_name=existing_user.user_name)
def edit(self, group_id=None, group_name=None, **kw):
# Not just for editing, also provides a read-only view
if group_id is not None:
try:
group = Group.by_id(group_id)
except DatabaseLookupError:
log.exception('Group id %s is not a valid group id' % group_id)
flash(_(u'Need a valid group to search on'))
redirect('../groups/mine')
elif group_name is not None:
try:
group = Group.by_name(group_name)
except NoResultFound:
log.exception('Group name %s is not a valid group name' %
group_name)
flash(_(u'Need a valid group to search on'))
redirect('../groups/mine')
else:
redirect('../groups/mine')
usergrid = self.show_members(group)
can_edit = False
if identity.current.user:
can_edit = group.can_edit(identity.current.user)
permissions_fields = [('Permission', lambda x: x.permission_name)]
if can_edit:
permissions_fields.append((' ', lambda x: XML(
'<a class="btn" href="#" id="remove_permission_%s">'
'<i class="fa fa-times"/> Remove</a>' % x.permission_id)))
group_permissions_grid = BeakerDataGrid(name='group_permission_grid',
fields=permissions_fields)
group_permissions = GroupPermissions()
return dict(
form=self.group_form,
user_form=self.group_user_form,
group_edit_js=LocalJSLink('bkr',
'/static/javascript/group_users_v2.js'),
action='./save',
user_action='./save_user',
options={},
value=group,
group_pw=group.root_password,
usergrid=usergrid,
disabled_fields=[],
group_permissions=group_permissions,
group_form=self.permissions_form,
group_permissions_grid=group_permissions_grid,
)
def test_adds_existing_user_to_admin_group(self):
with session.begin():
admin_group = Group.by_name(u'admin')
existing_user = data_setup.create_user()
self.assertNotIn(admin_group, existing_user.groups)
run_command('init.py', 'beaker-init',
['--user', existing_user.user_name])
with session.begin():
admin_group = Group.by_name(u'admin')
existing_user = User.query.get(existing_user.user_id)
self.assertIn(admin_group, existing_user.groups)
# run the same thing again, should have no effect but should not break
run_command('init.py', 'beaker-init',
['--user', existing_user.user_name])
def edit(self, group_id=None, group_name=None, **kw):
# Not just for editing, also provides a read-only view
if group_id is not None:
try:
group = Group.by_id(group_id)
except DatabaseLookupError:
log.exception('Group id %s is not a valid group id' % group_id)
flash(_(u'Need a valid group to search on'))
redirect('../groups/mine')
elif group_name is not None:
try:
group = Group.by_name(group_name)
except NoResultFound:
log.exception('Group name %s is not a valid group name' % group_name)
flash(_(u'Need a valid group to search on'))
redirect('../groups/mine')
else:
redirect('../groups/mine')
usergrid = self.show_members(group)
can_edit = False
if identity.current.user:
can_edit = group.can_edit(identity.current.user)
permissions_fields = [('Permission', lambda x: x.permission_name)]
if can_edit:
permissions_fields.append((' ', lambda x: XML(
'<a class="btn" href="#" id="remove_permission_%s">'
'<i class="fa fa-times"/> Remove</a>' % x.permission_id)))
group_permissions_grid = BeakerDataGrid(name='group_permission_grid',
fields=permissions_fields)
group_permissions = GroupPermissions()
return dict(
form = self.group_form,
user_form = self.group_user_form,
group_edit_js = LocalJSLink('bkr', '/static/javascript/group_users_v2.js'),
action = './save',
user_action = './save_user',
options = {},
value = group,
group_pw = group.root_password,
usergrid = usergrid,
disabled_fields=[],
group_permissions = group_permissions,
group_form = self.permissions_form,
group_permissions_grid = group_permissions_grid,
)
def test_group_modify_grant_owner(self):
with session.begin():
user1 = data_setup.create_user()
self.group.add_member(user1)
user2 = data_setup.create_user()
self.group.add_member(user2)
user3 = data_setup.create_user()
out = run_client(['bkr', 'group-modify',
'--grant-owner', user1.user_name,
'--grant-owner', user2.user_name,
self.group.group_name],
config = self.client_config)
with session.begin():
session.refresh(self.group)
group = Group.by_name(self.group.group_name)
self.assert_(user1.user_id in [u.user_id for u in group.owners()])
self.assert_(user2.user_id in [u.user_id for u in group.owners()])
self.assertEquals(Activity.query.filter_by(service=u'HTTP',
field_name=u'Owner', action=u'Added',
new_value=user2.user_name).count(), 1)
group = Group.by_name(group.group_name)
self.assertEquals(group.activity[-1].action, u'Added')
self.assertEquals(group.activity[-1].field_name, u'Owner')
self.assertEquals(group.activity[-1].new_value, user2.user_name)
self.assertEquals(group.activity[-1].service, u'HTTP')
# If the user is not a group member, add the user into the members list
# first and then grant the group ownership.
out = run_client(['bkr', 'group-modify',
'--grant-owner', user3.user_name,
self.group.group_name],
config = self.client_config)
with session.begin():
session.refresh(self.group)
group = Group.by_name(self.group.group_name)
self.assertIn(user3, group.users)
self.assertTrue(group.has_owner(user3))
try:
out = run_client(['bkr', 'group-modify',
'--grant-owner', user3.user_name,
self.fake_ldap_group.group_name],
config = self.client_config)
self.fail('Must fail or die')
except ClientError, e:
self.assert_('Cannot modify group ownership')
def test_remove_user_from_owning_group(self):
with session.begin():
user = data_setup.create_user(password='******')
group_name = data_setup.unique_name('AAAAAA%s')
display_name = data_setup.unique_name('Group Display Name %s')
b = self.browser
login(b, user=self.user.user_name, password='******')
b.get(get_server_base() + 'groups/mine')
b.find_element_by_link_text('Add').click()
b.find_element_by_xpath('//input[@id="Group_display_name"]').send_keys(display_name)
b.find_element_by_xpath('//input[@id="Group_group_name"]').send_keys(group_name)
b.find_element_by_id('Group').submit()
b.find_element_by_xpath('//title[text()="My Groups"]')
b.find_element_by_link_text(group_name).click()
# add an user
b.find_element_by_xpath('//input[@id="GroupUser_user_text"]').send_keys(user.user_name)
b.find_element_by_id('GroupUser').submit()
self.mail_capture.captured_mails[:] = []
group_id = Group.by_name(group_name).group_id
username = user.user_name
user_id = user.user_id
b.find_element_by_xpath('//td[preceding-sibling::td[2]/text()="%s"]' % username)\
.find_element_by_link_text('Remove').click()
self.assertEquals(b.find_element_by_class_name('flash').text,
'%s Removed' % username)
with session.begin():
group = Group.by_name(group_name)
self.check_notification(user, group, action='Removed')
# remove self when I am the only owner of the group
b.find_element_by_xpath('//td[preceding-sibling::td[2]/text()="%s"]' % self.user.user_name)\
.find_element_by_link_text('Remove').click()
self.assert_('Cannot remove member' in b.find_element_by_class_name('flash').text)
# admin should be able to remove an owner, even if only one
logout(b)
#login back as admin
login(b)
b.get(get_server_base() + 'groups/edit?group_id=%s' % group_id)
b.find_element_by_xpath('//td[preceding-sibling::td[2]/text()="%s"]' % self.user.user_name)\
.find_element_by_link_text('Remove').click()
self.assert_('%s Removed' % self.user.user_name in b.find_element_by_class_name('flash').text)
def members(self, group_name):
"""
List the members of an existing group.
:param group_name: An existing group name
:type group_name: string
Returns a list of the members (a dictionary containing each
member's username, email, and whether the member is an owner
or not).
"""
try:
group = Group.by_name(group_name)
except NoResultFound:
raise BX(_(u'Group does not exist: %s.' % group_name))
users=[]
for u in group.users:
user={}
user['username']=u.user_name
user['email'] = u.email_address
if group.has_owner(u):
user['owner'] = True
else:
user['owner'] = False
users.append(user)
return users
def _from_csv(cls,system,data,csv_type,log):
"""
Import data from CSV file into system.groups
"""
if 'group' in data and data['group']:
try:
group = Group.by_name(data['group'])
except InvalidRequestError:
group = Group(group_name=data['group'],
display_name=data['group'])
session.add(group)
deleted = False
if 'deleted' in data:
deleted = smart_bool(data['deleted'])
if deleted:
if group in system.groups:
activity = SystemActivity(identity.current.user, 'CSV', 'Removed', 'group', '%s' % group, '')
system.activity.append(activity)
system.groups.remove(group)
else:
if group not in system.groups:
system.groups.append(group)
activity = SystemActivity(identity.current.user, 'CSV', 'Added', 'group', '', '%s' % group)
system.activity.append(activity)
else:
log.append("%s: group can't be empty!" % system.fqdn)
return False
return True
def remove(self, **kw):
u = identity.current.user
try:
group = Group.by_id(kw['group_id'])
except DatabaseLookupError:
flash(unicode('Invalid group or already removed'))
redirect('../groups/mine')
if not group.can_edit(u):
flash(_(u'You are not an owner of group %s' % group))
redirect('../groups/mine')
if group.is_protected_group():
flash(_(u'This group %s is predefined and cannot be deleted' % group))
redirect('../groups/mine')
if group.jobs:
flash(_(u'Cannot delete a group which has associated jobs'))
redirect('../groups/mine')
# Record the access policy rules that will be removed
# before deleting the group
for rule in group.system_access_policy_rules:
rule.record_deletion()
# For any system pool owned by this group, unset owning_group
# and set owning_user to the user deleting this group
pools = SystemPool.query.filter_by(owning_group_id=group.group_id)
for pool in pools:
pool.change_owner(user=u, service='WEBUI')
session.delete(group)
activity = Activity(u, u'WEBUI', u'Removed', u'Group', group.display_name, u"")
session.add(activity)
flash( _(u"%s deleted") % group.display_name )
raise redirect(".")
def test_create_new_group(self):
b = self.browser
login(b, user=self.user.user_name, password='******')
b.get(get_server_base() + 'groups/mine')
b.find_element_by_link_text('Add ( + )').click()
b.find_element_by_xpath('//input[@id="Group_display_name"]'). \
send_keys('Group FBZ')
b.find_element_by_xpath('//input[@id="Group_group_name"]'). \
send_keys('FBZ')
b.find_element_by_xpath('//input[@id="Group_root_password"]'). \
send_keys('blapppy7')
b.find_element_by_xpath('//input[@value="Save"]').click()
b.find_element_by_xpath('//title[text()="My Groups"]')
b.find_element_by_link_text('FBZ').click()
with session.begin():
self.assertEquals(Activity.query.filter_by(service=u'WEBUI',
field_name=u'Group', action=u'Added',
new_value=u'Group FBZ').count(), 1)
group = Group.by_name(u'FBZ')
self.assertEquals(group.display_name, u'Group FBZ')
self.assert_(group.has_owner(self.user))
self.assertEquals(group.activity[-1].action, u'Added')
self.assertEquals(group.activity[-1].field_name, u'Owner')
self.assertEquals(group.activity[-1].new_value, self.user.user_name)
self.assertEquals(group.activity[-1].service, u'WEBUI')
self.assertEquals(group.activity[-2].action, u'Added')
self.assertEquals(group.activity[-2].field_name, u'User')
self.assertEquals(group.activity[-2].new_value, self.user.user_name)
self.assertEquals(group.activity[-2].service, u'WEBUI')
self.failUnless(crypt.crypt('blapppy7', group.root_password) ==
group.root_password, group.root_password)
def removeUser(self, group_id=None, id=None, **kw):
group = Group.by_id(group_id)
if not group.can_modify_membership(identity.current.user):
flash(_(u'You are not an owner of group %s' % group))
redirect('../groups/mine')
if not group.can_remove_member(identity.current.user, id):
flash(_(u'Cannot remove member'))
redirect('../groups/edit?group_id=%s' % group_id)
groupUsers = group.users
for user in groupUsers:
if user.user_id == int(id):
group.users.remove(user)
removed = user
activity = GroupActivity(identity.current.user, u'WEBUI', u'Removed', u'User', removed.user_name, u"")
group.activity.append(activity)
mail.group_membership_notify(user, group,
agent=identity.current.user,
action='Removed')
flash(_(u"%s Removed" % removed.display_name))
redirect("../groups/edit?group_id=%s" % group_id)
flash( _(u"No user %s in group %s" % (id, removed.display_name)))
raise redirect("../groups/edit?group_id=%s" % group_id)
def test_group_modify_group_name(self):
group_name = 'mynewgroup'
out = run_client([
'bkr', 'group-modify', '--group-name', group_name,
self.group.group_name
],
config=self.client_config)
with session.begin():
session.refresh(self.group)
group = Group.by_name(group_name)
self.assertEquals(group.group_name, group_name)
self.assertEquals(group.activity[-1].action, u'Changed')
self.assertEquals(group.activity[-1].field_name, u'Name')
self.assertEquals(group.activity[-1].user.user_id,
self.user.user_id)
self.assertEquals(group.activity[-1].new_value, group_name)
self.assertEquals(group.activity[-1].service, u'XMLRPC')
try:
out = run_client([
'bkr', 'group-modify', '--group-name',
'areallylonggroupname' * 20, self.group.group_name
],
config=self.client_config)
self.fail('Must fail or die')
except ClientError, e:
max_length = Group.group_name.property.columns[0].type.length
self.assertRegexpMatches(
e.stderr_output,
'Enter a value (less|not more) than %r characters long' %
max_length)
def save_system_access_policy(fqdn):
system = _get_system_by_FQDN(fqdn)
if not system.can_edit_policy(identity.current.user):
raise Forbidden403('Cannot edit system policy')
if system.custom_access_policy:
policy = system.custom_access_policy
else:
policy = system.custom_access_policy = SystemAccessPolicy()
data = read_json_request(request)
# Figure out what is added, what is removed.
# Rules are immutable, so if it has an id it is unchanged,
# if it has no id it is new.
kept_rule_ids = frozenset(r['id'] for r in data['rules'] if 'id' in r)
removed = []
for old_rule in policy.rules:
if old_rule.id not in kept_rule_ids:
removed.append(old_rule)
for old_rule in removed:
system.record_activity(user=identity.current.user, service=u'HTTP',
field=u'Access Policy Rule', action=u'Removed',
old=repr(old_rule))
policy.rules.remove(old_rule)
for rule in data['rules']:
if 'id' not in rule:
user = User.by_user_name(rule['user']) if rule['user'] else None
group = Group.by_name(rule['group']) if rule['group'] else None
permission = SystemPermission.from_string(rule['permission'])
new_rule = policy.add_rule(user=user, group=group,
everybody=rule['everybody'], permission=permission)
system.record_activity(user=identity.current.user, service=u'HTTP',
field=u'Access Policy Rule', action=u'Added',
new=repr(new_rule))
return '', 204
def test_ldap_group(self):
group_name = u'wyfp'
display_name = u'My LDAP Group'
out = run_client([
'bkr', 'group-create', '--ldap', '--display-name', display_name,
group_name
])
group = Group.by_name(group_name)
self.assertEquals(group.membership_type, GroupMembershipType.ldap)
self.assertEquals(group.users, [User.by_user_name(u'asaha')])
with session.begin():
rand_user = data_setup.create_user(password='******')
rand_client_config = create_client_config(username=rand_user.user_name,
password='******')
group_name = u'alp'
display_name = u'ALP'
try:
out = run_client([
'bkr', 'group-create', '--ldap', '--display-name',
display_name, group_name
],
config=rand_client_config)
self.fail('Must fail or die')
except ClientError, e:
self.assert_(
'Only admins can create LDAP groups' in e.stderr_output)
def removeUser(self, group_id=None, id=None, **kw):
group = Group.by_id(group_id)
if not group.can_modify_membership(identity.current.user):
flash(_(u'You are not an owner of group %s' % group))
redirect('../groups/mine')
if not group.can_remove_member(identity.current.user, id):
flash(_(u'Cannot remove member'))
redirect('../groups/edit?group_id=%s' % group_id)
groupUsers = group.users
for user in groupUsers:
if user.user_id == int(id):
group.users.remove(user)
removed = user
activity = GroupActivity(identity.current.user, u'WEBUI',
u'Removed', u'User',
removed.user_name, u"")
group.activity.append(activity)
mail.group_membership_notify(user,
group,
agent=identity.current.user,
action='Removed')
flash(_(u"%s Removed" % removed.display_name))
redirect("../groups/edit?group_id=%s" % group_id)
flash(_(u"No user %s in group %s" % (id, removed.display_name)))
raise redirect("../groups/edit?group_id=%s" % group_id)
def test_group_modify_add_member(self):
with session.begin():
user = data_setup.create_user()
out = run_client([
'bkr', 'group-modify', '--add-member', user.user_name,
self.group.group_name
],
config=self.client_config)
with session.begin():
session.refresh(self.group)
group = Group.by_name(self.group.group_name)
self.assert_(user.user_name in [u.user_name for u in group.users])
self.check_notification(user, group, action='Added')
try:
out = run_client([
'bkr', 'group-modify', '--add-member', 'idontexist',
self.group.group_name
],
config=self.client_config)
self.fail('Must fail or die')
except ClientError, e:
self.assert_('User idontexist does not exist' in e.stderr_output,
e.stderr_output)
def process_xmljob(self, xmljob, user, ignore_missing_tasks=False):
# We start with the assumption that the owner == 'submitting user', until
# we see otherwise.
submitter = user
if user.rootpw_expired:
raise BX(_('Your root password has expired, please change or clear it in order to submit jobs.'))
owner_name = xmljob.get_xml_attr('user', unicode, None)
if owner_name:
owner = User.by_user_name(owner_name)
if owner is None:
raise ValueError('%s is not a valid user name' % owner_name)
if not submitter.is_delegate_for(owner):
raise ValueError('%s is not a valid submission delegate for %s' % (submitter, owner))
else:
owner = user
group_name = xmljob.get_xml_attr('group', unicode, None)
group = None
if group_name:
try:
group = Group.by_name(group_name)
except NoResultFound, e:
raise ValueError('%s is not a valid group' % group_name)
if group not in owner.groups:
raise BX(_(u'User %s is not a member of group %s' % (owner.user_name, group.group_name)))
def create_group(permissions=None,
group_name=None,
display_name=None,
owner=None,
membership_type=GroupMembershipType.normal,
root_password=None):
if group_name is None:
group_name = unique_name(u'group%s')
group = Group.lazy_create(group_name=group_name)
group.root_password = root_password
if display_name is None:
group.display_name = u'Group %s display name' % group_name
else:
group.display_name = display_name
group.membership_type = membership_type
if group.membership_type == GroupMembershipType.ldap:
assert owner is None, 'LDAP groups cannot have owners'
if not owner:
owner = create_user(user_name=unique_name(u'group_owner_%s'))
group.add_member(owner, is_owner=True, service=u'testdata')
if permissions:
group.permissions.extend(
Permission.by_name(name) for name in permissions)
return group
def members(self, group_name):
"""
List the members of an existing group.
:param group_name: An existing group name
:type group_name: string
Returns a list of the members (a dictionary containing each
member's username, email, and whether the member is an owner
or not).
"""
try:
group = Group.by_name(group_name)
except NoResultFound:
raise BX(_(u'Group does not exist: %s.' % group_name))
users = []
for u in group.users:
user = {}
user['username'] = u.user_name
user['email'] = u.email_address
if group.has_owner(u):
user['owner'] = True
else:
user['owner'] = False
users.append(user)
return users
def test_admin_cannot_rename_protected_group(self):
# See https://bugzilla.redhat.com/show_bug.cgi?id=961206
protected_group_name = u'admin'
with session.begin():
group = Group.by_name(protected_group_name)
expected_display_name = group.display_name
# Run command as the default admin user
try:
out = run_client(['bkr', 'group-modify',
'--group-name', 'new_admin',
'--display-name', 'this is also unchanged',
protected_group_name])
self.fail('Must fail or die')
except ClientError as e:
self.assert_('Cannot rename protected group' in
e.stderr_output, e.stderr_output)
# Check the whole request is ignored if the name change is rejected
with session.begin():
session.refresh(group)
self.assertEquals(group.group_name, protected_group_name)
self.assertEquals(group.display_name, expected_display_name)
# However, changing just the display name is fine
new_display_name = 'Tested admin group'
out = run_client(['bkr', 'group-modify',
'--display-name', new_display_name,
protected_group_name])
with session.begin():
session.refresh(group)
self.assertEquals(group.group_name, protected_group_name)
self.assertEquals(group.display_name, new_display_name)
def test_ldap_group(self):
group_name = 'wyfp'
display_name = 'My LDAP Group'
out = run_client(['bkr', 'group-create', '--ldap',
'--display-name', display_name,
group_name])
group = Group.by_name(group_name)
self.assertEquals(group.ldap, True)
self.assertEquals(group.users, [User.by_user_name(u'asaha')])
with session.begin():
rand_user = data_setup.create_user(password = '******')
rand_client_config = create_client_config(username=rand_user.user_name,
password='******')
group_name = 'alp'
display_name = 'ALP'
try:
out = run_client(['bkr', 'group-create', '--ldap',
'--display-name', display_name,
group_name],
config = rand_client_config)
self.fail('Must fail or die')
except ClientError, e:
self.assert_('Only admins can create LDAP groups' in
e.stderr_output)
def add_system_access_policy_rule(fqdn):
system = _get_system_by_FQDN(fqdn)
if not system.can_edit_policy(identity.current.user):
raise Forbidden403('Cannot edit system policy')
if system.custom_access_policy:
policy = system.custom_access_policy
else:
policy = system.custom_access_policy = SystemAccessPolicy()
rule = read_json_request(request)
if rule['user']:
user = User.by_user_name(rule['user'])
if not user:
raise BadRequest400("User '%s' does not exist" % rule['user'])
else:
user = None
if rule['group']:
try:
group = Group.by_name(rule['group'])
except NoResultFound:
raise BadRequest400("Group '%s' does not exist" % rule['group'])
else:
group = None
try:
permission = SystemPermission.from_string(rule['permission'])
except ValueError:
raise BadRequest400
new_rule = policy.add_rule(user=user, group=group,
everybody=rule['everybody'], permission=permission)
system.record_activity(user=identity.current.user, service=u'HTTP',
field=u'Access Policy Rule', action=u'Added',
new=repr(new_rule))
return '', 204
def create_group(permissions=None,
group_name=None,
display_name=None,
owner=None,
ldap=False,
root_password=None):
# tg_group.group_name column is VARCHAR(16)
if group_name is None:
group_name = unique_name(u'group%s')
assert len(group_name) <= 16
group = Group.lazy_create(group_name=group_name)
group.root_password = root_password
if display_name is None:
group.display_name = u'Group %s' % group_name
else:
group.display_name = display_name
group.ldap = ldap
if ldap:
assert owner is None, 'LDAP groups cannot have owners'
if owner:
add_owner_to_group(owner, group)
else:
group_owner = create_user(user_name=unique_name(u'group_owner_%s'))
add_owner_to_group(group_owner, group)
if permissions:
group.permissions.extend(
Permission.by_name(name) for name in permissions)
return group
def test_refresh_ldap_group_membership(self):
with session.begin():
group = Group(group_name=u'alp',
display_name=u'Australian Labor Party',
membership_type=GroupMembershipType.ldap)
old_member = data_setup.create_user(user_name=u'krudd')
group.add_member(old_member)
run_command('refresh_ldap.py', 'beaker-refresh-ldap')
with session.begin():
session.expire_all()
self.assertEquals(group.users, [User.by_user_name(u'jgillard')])
# second time is a no-op
run_command('refresh_ldap.py', 'beaker-refresh-ldap')
with session.begin():
session.expire_all()
self.assertEquals(group.users, [User.by_user_name(u'jgillard')])
def process_xmljob(self, xmljob, user, ignore_missing_tasks=False):
# We start with the assumption that the owner == 'submitting user', until
# we see otherwise.
submitter = user
if user.rootpw_expired:
raise BX(
_('Your root password has expired, please change or clear it in order to submit jobs.'
))
owner_name = xmljob.get_xml_attr('user', unicode, None)
if owner_name:
owner = User.by_user_name(owner_name)
if owner is None:
raise ValueError('%s is not a valid user name' % owner_name)
if not submitter.is_delegate_for(owner):
raise ValueError(
'%s is not a valid submission delegate for %s' %
(submitter, owner))
else:
owner = user
group_name = xmljob.get_xml_attr('group', unicode, None)
group = None
if group_name:
try:
group = Group.by_name(group_name)
except NoResultFound, e:
raise ValueError('%s is not a valid group' % group_name)
if group not in owner.groups:
raise BX(
_(u'User %s is not a member of group %s' %
(owner.user_name, group.group_name)))
def create_group(permissions=None, group_name=None, display_name=None,
owner=None, ldap=False,
root_password=None):
# tg_group.group_name column is VARCHAR(16)
if group_name is None:
group_name = unique_name(u'group%s')
assert len(group_name) <= 16
group = Group.lazy_create(group_name=group_name)
group.root_password = root_password
if display_name is None:
group.display_name = u'Group %s' % group_name
else:
group.display_name = display_name
group.ldap = ldap
if ldap:
assert owner is None, 'LDAP groups cannot have owners'
if owner:
add_owner_to_group(owner, group)
else:
group_owner = create_user(user_name=unique_name(u'group_owner_%s'))
add_owner_to_group(group_owner, group)
if permissions:
group.permissions.extend(Permission.by_name(name) for name in permissions)
return group
def create_admin(user_name=None, **kwargs):
if user_name is None:
user_name = unique_name(u'admin%s')
user = create_user(user_name=user_name, **kwargs)
group = Group.by_name(u'admin')
group.add_member(user, service=u'testdata')
return user
def test_remove_self_admin_group(self):
with session.begin():
user = data_setup.create_admin(password='******')
b = self.browser
login(b, user=user.user_name, password='******')
# admin should be in groups/mine
b.get(get_server_base() + 'groups/mine')
b.find_element_by_link_text('admin').click()
# remove self
b.find_element_by_xpath('//td/a[text()="Remove (-)" and ../preceding-sibling::td[2]/text()="%s"]'
% user.user_name).click()
# admin should not be in groups/mine
b.get(get_server_base() + 'groups/mine')
self.assertTrue(not is_text_present(b, 'admin'))
logout(b)
# login as admin
login(b)
group = Group.by_name('admin')
group_users = group.users
# remove all other users from 'admin'
b.get(get_server_base() + 'groups/edit?group_id=1')
for usr in group_users:
if usr.user_id != 1:
b.find_element_by_xpath('//td/a[text()="Remove (-)" and ../preceding-sibling::td[2]/text()="%s"]'
% usr.user_name).click()
# attempt to remove admin user
b.find_element_by_xpath('//a[@href="removeUser?group_id=1&id=1"]').click()
self.assert_('Cannot remove member' in b.find_element_by_class_name('flash').text)
def test_group_modify_group_name(self):
group_name = 'mynewgroup'
out = run_client(['bkr', 'group-modify',
'--group-name', group_name,
self.group.group_name],
config = self.client_config)
with session.begin():
session.refresh(self.group)
group = Group.by_name(group_name)
self.assertEquals(group.group_name, group_name)
self.assertEquals(group.activity[-1].action, u'Changed')
self.assertEquals(group.activity[-1].field_name, u'Name')
self.assertEquals(group.activity[-1].user.user_id,
self.user.user_id)
self.assertEquals(group.activity[-1].new_value, group_name)
self.assertEquals(group.activity[-1].service, u'XMLRPC')
try:
out = run_client(['bkr', 'group-modify',
'--group-name', 'areallylonggroupname'*20,
self.group.group_name],
config = self.client_config)
self.fail('Must fail or die')
except ClientError,e:
max_length = Group.group_name.property.columns[0].type.length
self.assertRegexpMatches(e.stderr_output,
'Enter a value (less|not more) than %r characters long' % max_length)
def test_group_modify_add_member(self):
with session.begin():
user = data_setup.create_user()
out = run_client(['bkr', 'group-modify',
'--add-member', user.user_name,
self.group.group_name],
config = self.client_config)
with session.begin():
session.refresh(self.group)
group = Group.by_name(self.group.group_name)
self.assert_(user.user_name in
[u.user_name for u in group.users])
self.check_notification(user, group, action='Added')
try:
out = run_client(['bkr', 'group-modify',
'--add-member', 'idontexist',
self.group.group_name],
config = self.client_config)
self.fail('Must fail or die')
except ClientError, e:
self.assert_('User does not exist' in
e.stderr_output, e.stderr_output)
def test_group_modify_group_name(self):
group_name = u'mynewgroup'
out = run_client(['bkr', 'group-modify',
'--group-name', group_name,
self.group.group_name],
config = self.client_config)
with session.begin():
session.refresh(self.group)
group = Group.by_name(group_name)
self.assertEquals(group.group_name, group_name)
self.assertEquals(group.activity[-1].action, u'Changed')
self.assertEquals(group.activity[-1].field_name, u'Name')
self.assertEquals(group.activity[-1].user.user_id,
self.user.user_id)
self.assertEquals(group.activity[-1].new_value, group_name)
self.assertEquals(group.activity[-1].service, u'HTTP')
try:
out = run_client(['bkr', 'group-modify',
'--group-name', 'areallylonggroupname'*20,
self.group.group_name],
config = self.client_config)
self.fail('Must fail or die')
except ClientError,e:
self.assertIn(
'Group name must be not more than 255 characters long',
e.stderr_output)
def test_group_modify_group_name(self):
group_name = u'mynewgroup'
out = run_client([
'bkr', 'group-modify', '--group-name', group_name,
self.group.group_name
],
config=self.client_config)
with session.begin():
session.refresh(self.group)
group = Group.by_name(group_name)
self.assertEquals(group.group_name, group_name)
self.assertEquals(group.activity[-1].action, u'Changed')
self.assertEquals(group.activity[-1].field_name, u'Name')
self.assertEquals(group.activity[-1].user.user_id,
self.user.user_id)
self.assertEquals(group.activity[-1].new_value, group_name)
self.assertEquals(group.activity[-1].service, u'HTTP')
try:
out = run_client([
'bkr', 'group-modify', '--group-name',
'areallylonggroupname' * 20, self.group.group_name
],
config=self.client_config)
self.fail('Must fail or die')
except ClientError, e:
self.assertIn(
'Group name must be not more than 255 characters long',
e.stderr_output)
def test_create_new_group(self):
b = self.browser
login(b, user=self.user.user_name, password='******')
b.get(get_server_base() + 'groups/mine')
b.find_element_by_link_text('Add').click()
b.find_element_by_xpath('//input[@id="Group_display_name"]'). \
send_keys('Group FBZ')
b.find_element_by_xpath('//input[@id="Group_group_name"]'). \
send_keys('FBZ')
b.find_element_by_xpath('//input[@id="Group_root_password"]'). \
send_keys('blapppy7')
b.find_element_by_id('Group').submit()
b.find_element_by_xpath('//title[text()="My Groups"]')
b.find_element_by_link_text('FBZ').click()
with session.begin():
group = Group.by_name(u'FBZ')
self.assertEquals(group.display_name, u'Group FBZ')
self.assert_(group.has_owner(self.user))
self.assertEquals(group.activity[-1].action, u'Added')
self.assertEquals(group.activity[-1].field_name, u'Owner')
self.assertEquals(group.activity[-1].new_value, self.user.user_name)
self.assertEquals(group.activity[-1].service, u'WEBUI')
self.assertEquals(group.activity[-2].action, u'Added')
self.assertEquals(group.activity[-2].field_name, u'User')
self.assertEquals(group.activity[-2].new_value, self.user.user_name)
self.assertEquals(group.activity[-2].service, u'WEBUI')
self.assertEquals(group.activity[-3].action, u'Created')
self.assertEquals(group.activity[-3].service, u'WEBUI')
self.assertEquals('blapppy7', group.root_password)
def create_admin(user_name=None, **kwargs):
if user_name is None:
user_name = unique_name(u'admin%s')
user = create_user(user_name=user_name, **kwargs)
group = Group.by_name(u'admin')
group.add_member(user, service=u'testdata')
return user
def save_user(self, **kw):
user = User.by_user_name(kw['user']['text'])
if user is None:
flash(_(u"Invalid user %s" % kw['user']['text']))
redirect("./edit?group_id=%s" % kw['group_id'])
group = Group.by_id(kw['group_id'])
if not group.can_modify_membership(identity.current.user):
flash(_(u'You are not an owner of group %s' % group))
redirect('../groups/mine')
if user not in group.users:
group.users.append(user)
activity = GroupActivity(identity.current.user, u'WEBUI', u'Added',
u'User', u"", user.user_name)
group.activity.append(activity)
mail.group_membership_notify(user,
group,
agent=identity.current.user,
action='Added')
flash(_(u"OK"))
redirect("./edit?group_id=%s" % kw['group_id'])
else:
flash(
_(u"User %s is already in Group %s" %
(user.user_name, group.group_name)))
redirect("./edit?group_id=%s" % kw['group_id'])
def test_create_new_group(self):
b = self.browser
login(b, user=self.user.user_name, password='******')
b.get(get_server_base() + 'groups/mine')
b.find_element_by_link_text('Add').click()
b.find_element_by_xpath('//input[@id="Group_display_name"]'). \
send_keys('Group FBZ')
b.find_element_by_xpath('//input[@id="Group_group_name"]'). \
send_keys('FBZ')
b.find_element_by_xpath('//input[@id="Group_root_password"]'). \
send_keys('blapppy7')
b.find_element_by_id('Group').submit()
b.find_element_by_xpath('//title[text()="My Groups"]')
b.find_element_by_link_text('FBZ').click()
with session.begin():
group = Group.by_name(u'FBZ')
self.assertEquals(group.display_name, u'Group FBZ')
self.assert_(group.has_owner(self.user))
self.assertEquals(group.activity[-1].action, u'Added')
self.assertEquals(group.activity[-1].field_name, u'Owner')
self.assertEquals(group.activity[-1].new_value,
self.user.user_name)
self.assertEquals(group.activity[-1].service, u'WEBUI')
self.assertEquals(group.activity[-2].action, u'Added')
self.assertEquals(group.activity[-2].field_name, u'User')
self.assertEquals(group.activity[-2].new_value,
self.user.user_name)
self.assertEquals(group.activity[-2].service, u'WEBUI')
self.assertEquals(group.activity[-3].action, u'Created')
self.assertEquals(group.activity[-3].service, u'WEBUI')
self.assertEquals('blapppy7', group.root_password)
def test_refresh_ldap_group_membership(self):
with session.begin():
group = Group(group_name=u'alp',
display_name=u'Australian Labor Party',
membership_type=GroupMembershipType.ldap)
old_member = data_setup.create_user(user_name=u'krudd')
group.add_member(old_member)
run_command('refresh_ldap.py', 'beaker-refresh-ldap')
with session.begin():
session.expire_all()
self.assertEquals(group.users, [User.by_user_name(u'jgillard')])
# second time is a no-op
run_command('refresh_ldap.py', 'beaker-refresh-ldap')
with session.begin():
session.expire_all()
self.assertEquals(group.users, [User.by_user_name(u'jgillard')])
def test_refresh_ldap_group_membership(self):
with session.begin():
group = Group(group_name=u'alp',
display_name=u'Australian Labor Party',
membership_type=GroupMembershipType.ldap)
old_member = data_setup.create_user(user_name=u'krudd')
group.add_member(old_member)
from bkr.server.tools.refresh_ldap import refresh_ldap
refresh_ldap()
with session.begin():
session.expire_all()
self.assertEquals(group.users, [User.by_user_name(u'jgillard')])
# second time is a no-op
refresh_ldap()
with session.begin():
session.expire_all()
self.assertEquals(group.users, [User.by_user_name(u'jgillard')])
def get_groups():
"""
Returns a pageable JSON collection of Beaker groups.
The following fields are supported for filtering and sorting:
``id``
ID of the group.
``group_name``
Symbolic name of the group.
``display_name``
Human-friendly display name of the group.
``created``
Timestamp at which the group was created.
"""
query = Group.query.order_by(Group.group_name)
# Eager load all group members as an optimisation to avoid N database roundtrips
query = query.options(joinedload('user_group_assocs'),
joinedload('user_group_assocs.user'))
json_result = json_collection(
query,
columns={
'id': Group.id,
'group_name': Group.group_name,
'display_name': Group.display_name,
'created': Group.created,
'member.user_name': (Group.dyn_users, User.user_name),
'member.display_name': (Group.dyn_users, User.display_name),
'member.email_address': (Group.dyn_users, User.email_address),
'owner.user_name': (Group.dyn_owners, User.user_name),
'owner.display_name': (Group.dyn_owners, User.display_name),
'owner.email_address': (Group.dyn_owners, User.email_address),
})
# Need to call .to_json() on the groups because the default __json__
# representation is the minimal cut-down one, we want the complete
# representation here (including members and owners etc).
json_result['entries'] = [g.to_json() for g in json_result['entries']]
if request_wants_json():
return jsonify(json_result)
if identity.current.user:
grid_add_view_type = 'GroupCreateModal',
grid_add_view_options = {
'can_create_ldap': Group.can_create_ldap(identity.current.user),
}
else:
grid_add_view_type = 'null'
grid_add_view_options = {}
return render_tg_template(
'bkr.server.templates.backgrid', {
'title': u'Groups',
'grid_collection_type': 'Groups',
'grid_collection_data': json_result,
'grid_collection_url': request.path,
'grid_view_type': 'GroupsView',
'grid_add_label': 'Create',
'grid_add_view_type': grid_add_view_type,
'grid_add_view_options': grid_add_view_options,
})
def from_csv(cls, user, data, log):
"""
Import data from CSV file into user.groups
"""
if 'group' in data and data['group']:
try:
group = Group.by_name(data['group'])
except InvalidRequestError:
group = Group(group_name=data['group'],
display_name=data['group'])
session.add(group)
deleted = False
if 'deleted' in data:
deleted = smart_bool(data['deleted'])
if deleted:
if group in user.groups:
group.remove_member(user,
service=u'CSV',
agent=identity.current.user)
else:
if group not in user.groups:
group.add_member(user,
service=u'CSV',
agent=identity.current.user)
else:
log.append("%s: group can't be empty!" % user)
return False
return True
def from_csv(cls,user,data,log):
"""
Import data from CSV file into user.groups
"""
if 'group' in data and data['group']:
try:
group = Group.by_name(data['group'])
except InvalidRequestError:
group = Group(group_name=data['group'],
display_name=data['group'])
session.add(group)
deleted = False
if 'deleted' in data:
deleted = smart_bool(data['deleted'])
if deleted:
if group in user.groups:
group.record_activity(user=identity.current.user, service=u'CSV',
field=u'User', action=u'Removed', old=user)
user.groups.remove(group)
else:
if group not in user.groups:
group.record_activity(user=identity.current.user, service=u'CSV',
field=u'User', action=u'Added', new=user)
user.groups.append(group)
else:
log.append("%s: group can't be empty!" % user)
return False
return True
