def test_enforce_groups(pre_existing, regular_should_be, external_should_be,
groups, expected, backend_hg):
# TODO: anderson: adding backend_hg fixture so it sets up the database
# for when running this file alone
_delete_all_user_groups()
user = User.get_by_username(TEST_USER_REGULAR_LOGIN)
for gr in pre_existing:
gr = fixture.create_user_group(gr)
Session().commit()
# make sure use is just in those groups
for gr in regular_should_be:
gr = fixture.create_user_group(gr)
Session().commit()
UserGroupModel().add_user_to_group(gr, user)
Session().commit()
# now special external groups created by auth plugins
for gr in external_should_be:
gr = fixture.create_user_group(
gr, user_group_data={'extern_type': 'container'})
Session().commit()
UserGroupModel().add_user_to_group(gr, user)
Session().commit()
UserGroupModel().enforce_groups(user, groups, 'container')
Session().commit()
user = User.get_by_username(TEST_USER_REGULAR_LOGIN)
in_groups = user.group_member
expected.sort()
assert (expected == sorted(x.users_group.users_group_name
for x in in_groups))
def test_set_users_as_members_and_find_user_in_group(user_util, user_regular,
user_admin):
user_group = user_util.create_user_group()
assert len(user_group.members) == 0
user_list = [user_regular.user_id, user_admin.user_id]
UserGroupModel()._set_users_as_members(user_group, user_list)
assert len(user_group.members) == 2
assert UserGroupModel()._find_user_in_group(user_regular, user_group)
def test_add_and_remove_user_from_group(user_regular, user_util):
user_group = user_util.create_user_group()
assert user_group.members == []
UserGroupModel().add_user_to_group(user_group, user_regular)
Session().commit()
assert user_group.members[0].user == user_regular
UserGroupModel().remove_user_from_group(user_group, user_regular)
Session().commit()
assert user_group.members == []
def test_get_added_and_removed_users():
members = _create_test_members()
mock_user_group = mock.Mock()
mock_user_group.members = [members[0], members[1]]
new_users_list = [members[1].user.user_id, members[2].user.user_id]
model = UserGroupModel()
added, removed = model._get_added_and_removed_user_ids(
mock_user_group, new_users_list)
assert added == [members[2].user.user_id]
assert removed == [members[0].user.user_id]
def get_user_groups(request, apiuser):
"""
Lists all the existing user groups within RhodeCode.
This command can only be run using an |authtoken| with admin rights to
the specified repository.
This command takes the following options:
:param apiuser: This is filled automatically from the |authtoken|.
:type apiuser: AuthUser
Example error output:
.. code-block:: bash
id : <id_given_in_input>
result : [<user_group_obj>,...]
error : null
"""
include_secrets = has_superadmin_permission(apiuser)
result = []
_perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)
extras = {'user': apiuser}
for user_group in UserGroupList(UserGroupModel().get_all(),
perm_set=_perms, extra_kwargs=extras):
result.append(
user_group.get_api_data(include_secrets=include_secrets))
return result
def test_api_create_user_group_regular_user(self):
group_name = 'some_new_group'
usr = UserModel().get_by_username(self.TEST_USER_LOGIN)
usr.inherit_default_permissions = False
Session().add(usr)
UserModel().grant_perm(self.TEST_USER_LOGIN,
'hg.usergroup.create.true')
Session().commit()
id_, params = build_data(self.apikey_regular,
'create_user_group',
group_name=group_name)
response = api_call(self.app, params)
expected = {
'msg':
'created new user group `%s`' % (group_name, ),
'user_group':
jsonify(UserGroupModel().get_by_name(group_name).get_api_data())
}
try:
assert_ok(id_, expected, given=response.body)
finally:
self.fixture.destroy_user_group(group_name)
UserModel().revoke_perm(self.TEST_USER_LOGIN,
'hg.usergroup.create.true')
usr = UserModel().get_by_username(self.TEST_USER_LOGIN)
usr.inherit_default_permissions = True
Session().add(usr)
Session().commit()
def test_api_grant_user_group_permission_to_user_group(
self, name, perm, user_util):
group = user_util.create_user_group()
target_group = user_util.create_user_group()
id_, params = build_data(
self.apikey,
'grant_user_group_permission_to_user_group',
usergroupid=target_group.users_group_name,
sourceusergroupid=group.users_group_name,
perm=perm)
response = api_call(self.app, params)
expected = {
'msg': (
'Granted perm: `%s` for user group: `%s`'
' in user group: `%s`' % (
perm, group.users_group_name,
target_group.users_group_name
)
),
'success': True
}
try:
assert_ok(id_, expected, given=response.body)
finally:
UserGroupModel().revoke_user_group_permission(
target_group.users_group_id, group.users_group_id)
def update_perms(self, user_group_id):
"""
grant permission for given usergroup
:param user_group_id:
"""
user_group_id = safe_int(user_group_id)
c.user_group = UserGroup.get_or_404(user_group_id)
form = UserGroupPermsForm()().to_python(request.POST)
if not c.rhodecode_user.is_admin:
if self._revoke_perms_on_yourself(form):
msg = _('Cannot change permission for yourself as admin')
h.flash(msg, category='warning')
return redirect(
url('edit_user_group_perms', user_group_id=user_group_id))
try:
UserGroupModel().update_permissions(user_group_id,
form['perm_additions'],
form['perm_updates'],
form['perm_deletions'])
except RepoGroupAssignmentError:
h.flash(_('Target group cannot be the same'), category='error')
return redirect(
url('edit_user_group_perms', user_group_id=user_group_id))
#TODO: implement this
#action_logger(c.rhodecode_user, 'admin_changed_repo_permissions',
# repo_name, self.ip_addr, self.sa)
Session().commit()
h.flash(_('User Group permissions updated'), category='success')
return redirect(
url('edit_user_group_perms', user_group_id=user_group_id))
def test_cached_perms_data_user_group_global_permissions_(user_util):
user, user_group = user_util.create_user_with_group()
granted_permission = 'repository.write'
UserGroupModel().grant_perm(user_group, granted_permission)
permissions = get_permissions(user)
assert granted_permission in permissions['global']
def grant_user_permission_to_user_group(
request, apiuser, usergroupid, userid, perm):
"""
Set permissions for a user in a user group.
:param apiuser: This is filled automatically from the |authtoken|.
:type apiuser: AuthUser
:param usergroupid: Set the user group to edit permissions on.
:type usergroupid: str or int
:param userid: Set the user from whom you wish to set permissions.
:type userid: str
:param perm: (usergroup.(none|read|write|admin))
:type perm: str
Example output:
.. code-block:: bash
id : <id_given_in_input>
result : {
"msg": "Granted perm: `<perm_name>` for user: `<username>` in user group: `<user_group_name>`",
"success": true
}
error : null
"""
user_group = get_user_group_or_error(usergroupid)
if not has_superadmin_permission(apiuser):
# check if we have admin permission for this user group !
_perms = ('usergroup.admin',)
if not HasUserGroupPermissionAnyApi(*_perms)(
user=apiuser, user_group_name=user_group.users_group_name):
raise JSONRPCError(
'user group `%s` does not exist' % (usergroupid,))
user = get_user_or_error(userid)
perm = get_perm_or_error(perm, prefix='usergroup.')
try:
UserGroupModel().grant_user_permission(
user_group=user_group, user=user, perm=perm)
Session().commit()
return {
'msg':
'Granted perm: `%s` for user: `%s` in user group: `%s`' % (
perm.permission_name, user.username,
user_group.users_group_name
),
'success': True
}
except Exception:
log.exception("Error occurred during editing permissions "
"for user in user group")
raise JSONRPCError(
'failed to edit permission for user: '******'`%s` in user group: `%s`' % (
userid, user_group.users_group_name))
def test_cached_perms_data_user_group_permissions_explicit(
user_util, backend_random):
user = user_util.create_user()
user_group = user_util.create_user_group()
UserGroupModel().grant_user_permission(user_group, user, 'usergroup.none')
permissions = get_permissions(user, explicit=True)
assert permissions['user_groups'][user_group.users_group_name] == \
'usergroup.none'
def remove_user_from_user_group(request, apiuser, usergroupid, userid):
"""
Removes a user from a user group.
* If the specified user is not in the group, this command will return
`false`.
This command can only be run using an |authtoken| with admin rights to
the specified user group.
:param apiuser: This is filled automatically from the |authtoken|.
:type apiuser: AuthUser
:param usergroupid: Sets the user group name.
:type usergroupid: str or int
:param userid: The user you wish to remove from |RCE|.
:type userid: str or int
Example output:
.. code-block:: bash
id : <id_given_in_input>
result: {
"success": True|False, # depends on if member is in group
"msg": "removed member <username> from user group <groupname> |
User wasn't in group"
}
error: null
"""
user = get_user_or_error(userid)
user_group = get_user_group_or_error(usergroupid)
if not has_superadmin_permission(apiuser):
# check if we have admin permission for this user group !
_perms = ('usergroup.admin',)
if not HasUserGroupPermissionAnyApi(*_perms)(
user=apiuser, user_group_name=user_group.users_group_name):
raise JSONRPCError(
'user group `%s` does not exist' % (usergroupid,))
try:
success = UserGroupModel().remove_user_from_group(user_group, user)
msg = 'removed member `%s` from user group `%s`' % (
user.username, user_group.users_group_name
)
msg = msg if success else "User wasn't in group"
Session().commit()
return {'success': success, 'msg': msg}
except Exception:
log.exception("Error occurred during removing an member from user group")
raise JSONRPCError(
'failed to remove member from user group `%s`' % (
user_group.users_group_name,
)
)
def test_user_delete_cascades_permissions_on_user_group(
test_user_group, test_user):
UserGroupModel().grant_user_permission(test_user_group, test_user,
'usergroup.write')
Session().commit()
assert test_user.user_group_to_perm
Session().delete(test_user)
Session().commit()
def revoke_user_permission_from_user_group(
request, apiuser, usergroupid, userid):
"""
Revoke a users permissions in a user group.
:param apiuser: This is filled automatically from the |authtoken|.
:type apiuser: AuthUser
:param usergroupid: Set the user group from which to revoke the user
permissions.
:type: usergroupid: str or int
:param userid: Set the userid of the user whose permissions will be
revoked.
:type userid: str
Example output:
.. code-block:: bash
id : <id_given_in_input>
result : {
"msg": "Revoked perm for user: `<username>` in user group: `<user_group_name>`",
"success": true
}
error : null
"""
user_group = get_user_group_or_error(usergroupid)
if not has_superadmin_permission(apiuser):
# check if we have admin permission for this user group !
_perms = ('usergroup.admin',)
if not HasUserGroupPermissionAnyApi(*_perms)(
user=apiuser, user_group_name=user_group.users_group_name):
raise JSONRPCError(
'user group `%s` does not exist' % (usergroupid,))
user = get_user_or_error(userid)
try:
UserGroupModel().revoke_user_permission(
user_group=user_group, user=user)
Session().commit()
return {
'msg': 'Revoked perm for user: `%s` in user group: `%s`' % (
user.username, user_group.users_group_name
),
'success': True
}
except Exception:
log.exception("Error occurred during editing permissions "
"for user in user group")
raise JSONRPCError(
'failed to edit permission for user: `%s` in user group: `%s`'
% (userid, user_group.users_group_name))
def test_ValidUserGroup():
validator = v.ValidUserGroup()
pytest.raises(formencode.Invalid, validator.to_python, 'default')
pytest.raises(formencode.Invalid, validator.to_python, '.,')
gr = fixture.create_user_group('test')
gr2 = fixture.create_user_group('tes2')
Session().commit()
pytest.raises(formencode.Invalid, validator.to_python, 'test')
assert gr.users_group_id is not None
validator = v.ValidUserGroup(
edit=True,
old_data={'users_group_id': gr2.users_group_id})
pytest.raises(formencode.Invalid, validator.to_python, 'test')
pytest.raises(formencode.Invalid, validator.to_python, 'TesT')
pytest.raises(formencode.Invalid, validator.to_python, 'TEST')
UserGroupModel().delete(gr)
UserGroupModel().delete(gr2)
Session().commit()
def get_user_group_or_error(usergroupid):
"""
Get user group by id or name or return JsonRPCError if not found
:param usergroupid:
"""
from rhodecode.model.user_group import UserGroupModel
user_group = UserGroupModel().get_group(usergroupid)
if user_group is None:
raise JSONRPCError('user group `%s` does not exist' % (usergroupid, ))
return user_group
def test_repo_group_user_as_user_group_member(self):
# create Group1
self.g1 = fixture.create_repo_group('group1', skip_if_exists=True)
assert group_perms(self.anon) == {u'group1': u'group.read'}
# set default permission to none
RepoGroupModel().grant_user_permission(repo_group=self.g1,
user=self.anon,
perm='group.none')
# make group
self.ug1 = fixture.create_user_group('G1')
# add user to group
UserGroupModel().add_user_to_group(self.ug1, self.u1)
Session().commit()
# check if user is in the group
ug1 = UserGroupModel().get(self.ug1.users_group_id)
members = [x.user_id for x in ug1.members]
assert members == [self.u1.user_id]
# add some user to that group
# check his permissions
assert group_perms(self.anon) == {u'group1': u'group.none'}
assert group_perms(self.u1) == {u'group1': u'group.none'}
# grant ug1 read permissions for
RepoGroupModel().grant_user_group_permission(repo_group=self.g1,
group_name=self.ug1,
perm='group.read')
Session().commit()
# check if the
obj = Session().query(UserGroupRepoGroupToPerm)\
.filter(UserGroupRepoGroupToPerm.group == self.g1)\
.filter(UserGroupRepoGroupToPerm.users_group == self.ug1)\
.scalar()
assert obj.permission.permission_name == 'group.read'
assert group_perms(self.anon) == {u'group1': u'group.none'}
assert group_perms(self.u1) == {u'group1': u'group.read'}
def test_propagated_permission_from_users_group(self, repo_name):
# make group
self.ug1 = fixture.create_user_group('G1')
UserGroupModel().add_user_to_group(self.ug1, self.u3)
# grant perm for group
# this should override default permission from user
new_perm_gr = 'repository.write'
RepoModel().grant_user_group_permission(repo=repo_name,
group_name=self.ug1,
perm=new_perm_gr)
assert repo_perms(self.u3)[repo_name] == new_perm_gr
assert group_perms(self.u3) == {}
def update(self, user_group_id):
"""PUT /user_groups/user_group_id: Update an existing item"""
# Forms posted to this method should contain a hidden field:
# <input type="hidden" name="_method" value="PUT" />
# Or using helpers:
# h.form(url('users_group', user_group_id=ID),
# method='put')
# url('users_group', user_group_id=ID)
user_group_id = safe_int(user_group_id)
c.user_group = UserGroup.get_or_404(user_group_id)
c.active = 'settings'
self.__load_data(user_group_id)
available_members = [safe_unicode(x[0]) for x in c.available_members]
users_group_form = UserGroupForm(edit=True,
old_data=c.user_group.get_dict(),
available_members=available_members,
allow_disabled=True)()
try:
form_result = users_group_form.to_python(request.POST)
UserGroupModel().update(c.user_group, form_result)
gr = form_result['users_group_name']
action_logger(c.rhodecode_user,
'admin_updated_users_group:%s' % gr, None,
self.ip_addr, self.sa)
h.flash(_('Updated user group %s') % gr, category='success')
Session().commit()
except formencode.Invalid as errors:
defaults = errors.value
e = errors.error_dict or {}
return htmlfill.render(
render('admin/user_groups/user_group_edit.html'),
defaults=defaults,
errors=e,
prefix_error=False,
encoding="UTF-8",
force_defaults=False)
except Exception:
log.exception("Exception during update of user group")
h.flash(_('Error occurred during update of user group %s') %
request.POST.get('users_group_name'),
category='error')
return redirect(url('edit_users_group', user_group_id=user_group_id))
def test_cached_perms_data_user_group_permissions_inherited(
user_util, backend_random):
user, user_group = user_util.create_user_with_group()
user_group2 = user_util.create_user_group()
UserGroupModel().add_user_to_group(user_group2, user)
target_user_group = user_util.create_user_group()
user_util.grant_user_group_permission_to_user_group(
target_user_group, user_group, 'usergroup.read')
user_util.grant_user_group_permission_to_user_group(
target_user_group, user_group2, 'usergroup.write')
permissions = get_permissions(user)
assert permissions['user_groups'][target_user_group.users_group_name] == \
'usergroup.write'
def test_create_and_remove(test_user):
usr = test_user
# make user group
user_group = fixture.create_user_group('some_example_group')
Session().commit()
UserGroupModel().add_user_to_group(user_group, usr)
Session().commit()
assert UserGroup.get(user_group.users_group_id) == user_group
assert UserGroupMember.query().count() == 1
UserModel().delete(usr.user_id)
Session().commit()
assert UserGroupMember.query().all() == []
def test_api_create_user_group(self):
group_name = 'some_new_group'
id_, params = build_data(self.apikey,
'create_user_group',
group_name=group_name)
response = api_call(self.app, params)
ret = {
'msg':
'created new user group `%s`' % (group_name, ),
'user_group':
jsonify(UserGroupModel().get_by_name(group_name).get_api_data())
}
expected = ret
assert_ok(id_, expected, given=response.body)
self.fixture.destroy_user_group(group_name)
def create_user_group(self, name, **kwargs):
if 'skip_if_exists' in kwargs:
del kwargs['skip_if_exists']
gr = UserGroup.get_by_group_name(group_name=name)
if gr:
return gr
form_data = self._get_user_group_create_params(name, **kwargs)
owner = kwargs.get('cur_user', TEST_USER_ADMIN_LOGIN)
user_group = UserGroupModel().create(
name=form_data['users_group_name'],
description=form_data['user_group_description'],
owner=owner, active=form_data['users_group_active'],
group_data=form_data['user_group_data'])
Session().commit()
user_group = UserGroup.get_by_group_name(user_group.users_group_name)
return user_group
def test_cached_perms_data_repository_permissions_from_user_group(
user_util, backend_random):
user, user_group = user_util.create_user_with_group()
# Needs a second user group to make sure that we select the right
# permissions.
user_group2 = user_util.create_user_group()
UserGroupModel().add_user_to_group(user_group2, user)
repo = backend_random.create_repo()
RepoModel().grant_user_group_permission(
repo, user_group.users_group_name, 'repository.read')
RepoModel().grant_user_group_permission(
repo, user_group2.users_group_name, 'repository.write')
permissions = get_permissions(user)
assert permissions['repositories'][repo.repo_name] == 'repository.write'
def test_cached_perms_data_repository_groups_permissions_inherited(
user_util, backend_random):
user, user_group = user_util.create_user_with_group()
# Needs a second group to hit the last condition
user_group2 = user_util.create_user_group()
UserGroupModel().add_user_to_group(user_group2, user)
repo_group = user_util.create_repo_group()
user_util.grant_user_group_permission_to_repo_group(
repo_group, user_group, 'group.read')
user_util.grant_user_group_permission_to_repo_group(
repo_group, user_group2, 'group.write')
permissions = get_permissions(user)
assert permissions['repositories_groups'][repo_group.group_name] == \
'group.write'
def test_repo_owner_permissions_not_overwritten_by_group(self):
# create repo as USER,
self.test_repo = fixture.create_repo(name='myownrepo',
repo_type='hg',
cur_user=self.u1)
# he has permissions of admin as owner
assert repo_perms(self.u1)['myownrepo'] == 'repository.admin'
# set his permission as user group, he should still be admin
self.ug1 = fixture.create_user_group('G1')
UserGroupModel().add_user_to_group(self.ug1, self.u1)
RepoModel().grant_user_group_permission(self.test_repo,
group_name=self.ug1,
perm='repository.none')
Session().commit()
assert repo_perms(self.u1)['myownrepo'] == 'repository.admin'
def cleanup(self):
if hasattr(self, 'test_repo'):
RepoModel().delete(repo=self.test_repo)
if hasattr(self, 'g1'):
RepoGroupModel().delete(self.g1.group_id)
if hasattr(self, 'g2'):
RepoGroupModel().delete(self.g2.group_id)
UserModel().delete(self.u1)
UserModel().delete(self.u2)
UserModel().delete(self.u3)
UserModel().delete(self.a1)
if hasattr(self, 'ug1'):
UserGroupModel().delete(self.ug1, force=True)
Session().commit()
def test_repo_group_owner_permissions_not_overwritten_by_group(self):
# "u1" shall be owner without any special permission assigned
self.g1 = fixture.create_repo_group('test1')
# Make user group and grant a permission to user group
self.ug1 = fixture.create_user_group('G1')
UserGroupModel().add_user_to_group(self.ug1, self.u1)
RepoGroupModel().grant_user_group_permission(repo_group=self.g1,
group_name=self.ug1,
perm='group.write')
# Verify that user does not get any special permission if he is not
# owner
assert group_perms(self.u1) == {'test1': 'group.write'}
# Make him owner of the repo group
self.g1.user = self.u1
assert group_perms(self.u1) == {'test1': 'group.admin'}
def create(self):
"""POST /users_groups: Create a new item"""
# url('users_groups')
users_group_form = UserGroupForm()()
try:
form_result = users_group_form.to_python(dict(request.POST))
user_group = UserGroupModel().create(
name=form_result['users_group_name'],
description=form_result['user_group_description'],
owner=c.rhodecode_user.user_id,
active=form_result['users_group_active'])
Session().flush()
user_group_name = form_result['users_group_name']
action_logger(c.rhodecode_user,
'admin_created_users_group:%s' % user_group_name,
None, self.ip_addr, self.sa)
user_group_link = h.link_to(
h.escape(user_group_name),
url('edit_users_group',
user_group_id=user_group.users_group_id))
h.flash(h.literal(
_('Created user group %(user_group_link)s') %
{'user_group_link': user_group_link}),
category='success')
Session().commit()
except formencode.Invalid as errors:
return htmlfill.render(
render('admin/user_groups/user_group_add.html'),
defaults=errors.value,
errors=errors.error_dict or {},
prefix_error=False,
encoding="UTF-8",
force_defaults=False)
except Exception:
log.exception("Exception creating user group")
h.flash(_('Error occurred during creation of user group %s') \
% request.POST.get('users_group_name'), category='error')
return redirect(
url('edit_users_group', user_group_id=user_group.users_group_id))
def test_update_members_from_user_ids(user_regular, user_util):
user_group = user_util.create_user_group()
assert user_group.members == []
assert user_group.user != user_regular
expected_active_state = not user_group.users_group_active
form_data = {
'users_group_members': str(user_regular.user_id),
'user': str(user_regular.username),
'users_group_name': 'changed_name',
'users_group_active': expected_active_state,
'user_group_description': 'changed_description'
}
UserGroupModel().update(user_group, form_data)
assert user_group.members[0].user_id == user_regular.user_id
assert user_group.user_id == user_regular.user_id
assert 'changed_name' in user_group.users_group_name
assert 'changed_description' in user_group.user_group_description
assert user_group.users_group_active == expected_active_state
# Ignore changes on the test
Session().rollback()
