def create_default_ou(app_config,
verbosity=2,
interactive=True,
using=DEFAULT_DB_ALIAS,
**kwargs):
if not router.allow_migrate(using, get_ou_model()):
return
# be sure new objects names are localized using the default locale
with override(settings.LANGUAGE_CODE):
OrganizationalUnit = get_ou_model()
if OrganizationalUnit.objects.exists():
return
# Create a default OU if none exists currently
default_ou, created = OrganizationalUnit.objects.get_or_create(
slug='default',
defaults={
'default': True,
'name': _('Default organizational unit'),
})
# Update all existing models having an ou field to the default ou
for app in apps.get_app_configs():
for model in app.get_models():
related_model = get_fk_model(model, 'ou')
if not related_model == OrganizationalUnit:
return
model.objects.filter(ou__isnull=True).update(ou=default_ou)
def update_rbac_on_ou_post_save(sender, instance, created, raw, **kwargs):
from .management import update_ou_admin_roles, update_ous_admin_roles, \
update_content_types_roles
if get_ou_model().objects.count() < 3 and created:
update_ous_admin_roles()
else:
update_ou_admin_roles(instance)
def test_custom_ou(slapd, settings, client):
OU = get_ou_model()
ou = OU.objects.create(name='test', slug='test')
settings.LDAP_AUTH_SETTINGS = [{
'url': [slapd.ldap_url],
'basedn': u'o=ôrga',
'use_tls': False,
'ou_slug': 'test',
}]
result = client.post('/login/', {
'login-password-submit': '1',
'username': USERNAME,
'password': PASS
},
follow=True)
assert result.status_code == 200
assert 'Étienne Michu' in str(result)
User = get_user_model()
assert User.objects.count() == 1
user = User.objects.get()
assert user.username == u'%s@ldap' % USERNAME
assert user.first_name == u'Étienne'
assert user.last_name == u'Michu'
assert user.ou == ou
assert not user.check_password(PASS)
def update_rbac_on_ou_post_save(sender, instance, created, raw, **kwargs):
from .management import update_ou_admin_roles, update_ous_admin_roles, \
update_content_types_roles
if get_ou_model().objects.count() < 3 and created:
update_ous_admin_roles()
else:
update_ou_admin_roles(instance)
class OrganizationalUnitView(views.BaseTableView):
template_name = 'authentic2/manager/ous.html'
model = get_ou_model()
table_class = tables.OUTable
search_form_class = forms.NameSearchForm
permissions = ['a2_rbac.search_organizationalunit']
title = _('Organizational units')
class RoleEditForm(SlugMixin, HideOUFieldMixin, LimitQuerysetFormMixin,
CssClass, forms.ModelForm):
ou = forms.ModelChoiceField(queryset=get_ou_model().objects,
required=True,
label=_('Organizational unit'))
def clean_name(self):
qs = get_role_model().objects.all()
if self.instance and self.instance.pk:
qs = qs.exclude(pk=self.instance.pk)
ou = self.cleaned_data.get('ou')
# Test unicity of name for an OU and globally if no OU is present
name = self.cleaned_data.get('name')
if name and ou:
query = Q(name=name) & (Q(ou__isnull=True) | Q(ou=ou))
if qs.filter(query).exists():
raise ValidationError({
'name':
_('This name is not unique over this organizational unit.')
})
return name
class Meta:
model = get_role_model()
fields = ('name', 'ou', 'description')
class OrganizationalUnitAddView(views.BaseAddView):
model = get_ou_model()
permissions = ['a2_rbac.add_organizationalunit']
form_class = forms.OUEditForm
title = _('Add organizational unit')
def get_success_url(self):
return '..'
def test_manager_ou(app, superuser_or_admin, ou1):
OU = get_ou_model()
manager_home_page = login(app, superuser_or_admin,
reverse('a2-manager-homepage'))
ou_homepage = manager_home_page.click(href='organizational-units')
assert set([e.text for e in ou_homepage.pyquery('td.name')
]) == set(['OU1', 'Default organizational unit'])
# add a new ou
add_ou_page = ou_homepage.click('Add')
add_ou_page.form.set('name', 'ou2')
add_ou_page.form.set('default', True)
ou_homepage = add_ou_page.form.submit().follow()
ou2 = OU.objects.get(name='ou2')
assert set([e.text for e in ou_homepage.pyquery('td.name')
]) == set(['OU1', 'Default organizational unit', 'ou2'])
assert len(
ou_homepage.pyquery('tr[data-pk="%s"] td.default span.true' %
ou2.pk)) == 1
# FIXME: table lines are not clickable as they do not contain an anchor
# default ou cannot be deleted
ou2_detail_page = app.get(
reverse('a2-manager-ou-detail', kwargs={'pk': ou2.pk}))
assert ou2_detail_page.pyquery('a.disabled').text() == 'Delete'
# but ou1 can be deleted
ou1_detail_page = app.get(
reverse('a2-manager-ou-detail', kwargs={'pk': ou1.pk}))
ou1_delete_page = ou1_detail_page.click('Delete')
ou_homepage = ou1_delete_page.form.submit().follow()
assert set([e.text for e in ou_homepage.pyquery('td.name')
]) == set(['Default organizational unit', 'ou2'])
# remake old default ou the default one
old_default = OU.objects.get(name__contains='Default')
old_default_detail_page = app.get(
reverse('a2-manager-ou-detail', kwargs={'pk': old_default.pk}))
assert not old_default_detail_page.pyquery(
'input[name="default"][checked="checked"]')
old_default_edit_page = old_default_detail_page.click('Edit')
old_default_edit_page.form.set('default', True)
old_default_detail_page = old_default_edit_page.form.submit().follow()
# check detail page has changed
assert old_default_detail_page.pyquery(
'input[name="default"][checked="checked"]')
# check ou homepage has changed too
ou_homepage = old_default_detail_page.click('Organizational unit')
assert set([e.text for e in ou_homepage.pyquery('td.name')
]) == set(['Default organizational unit', 'ou2'])
assert len(ou_homepage.pyquery('span.true')) == 1
assert len(
ou_homepage.pyquery('tr[data-pk="%s"] td.default span.true' %
ou2.pk)) == 0
assert len(
ou_homepage.pyquery('tr[data-pk="%s"] td.default span.true' %
old_default.pk)) == 1
def get_table(self, **kwargs):
OU = get_ou_model()
exclude_ou = False
if (hasattr(self, 'search_form') and self.search_form.is_valid()
and self.search_form.cleaned_data.get('ou') is not None):
exclude_ou = True
if OU.objects.count() < 2:
exclude_ou = True
if exclude_ou:
kwargs['exclude'] = ['ou']
return super(HideOUColumnMixin, self).get_table(**kwargs)
def get_by_natural_key(self, ou_natural_key, slug):
OU = get_ou_model()
kwargs = {'slug': slug}
if ou_natural_key:
try:
ou = OU.objects.get_by_natural_key(*ou_natural_key)
except OU.DoesNotExist:
raise self.model.DoesNotExist
kwargs['ou'] = ou
else:
kwargs['ou__isnull'] = True
return self.get(**kwargs)
def import_ou(ou_d):
OU = get_ou_model()
# ou = search_ou([ou_d['slug']])
ou = search_ou(ou_d)
if ou is None:
ou = OU.objects.create(**ou_d)
status = 'created'
else:
update_model(ou, ou_d)
status = 'updated'
# Ensure admin role is created
ou.get_admin_role()
return ou, status
def test_role_parenting(db):
OrganizationalUnit = utils.get_ou_model()
Role = utils.get_role_model()
RoleParenting = utils.get_role_parenting_model()
ou = OrganizationalUnit.objects.create(name='ou')
roles = []
for i in range(10):
roles.append(Role.objects.create(name='r%d' % i, ou=ou))
assert Role.objects.count() == 10
assert RoleParenting.objects.count() == 0
for i in range(1, 3):
RoleParenting.objects.create(parent=roles[i - 1], child=roles[i])
assert RoleParenting.objects.filter(direct=True).count() == 2
assert RoleParenting.objects.filter(direct=False).count() == 1
for i, role in enumerate(roles[:3]):
assert role.children().count() == 3 - i
assert role.parents().count() == i + 1
assert role.children(False).count() == 3 - i - 1
assert role.parents(False).count() == i
for i in range(4, 6):
RoleParenting.objects.create(parent=roles[i - 1], child=roles[i])
assert RoleParenting.objects.filter(direct=True).count() == 4
assert RoleParenting.objects.filter(direct=False).count() == 2
for i, role in enumerate(roles[3:6]):
assert role.children().count() == 3 - i
assert role.parents().count() == i + 1
assert role.children(False).count() == 3 - i - 1
assert role.parents(False).count() == i
RoleParenting.objects.create(parent=roles[2], child=roles[3])
assert RoleParenting.objects.filter(direct=True).count() == 5
assert RoleParenting.objects.filter(direct=False).count() == 10
for i in range(6):
assert roles[i].parents().distinct().count() == i + 1
for i, role in enumerate(roles[:6]):
assert role.children().count() == 6 - i
assert role.parents().count() == i + 1
assert role.children(False).count() == 6 - i - 1
assert role.parents(False).count() == i
RoleParenting.objects.filter(parent=roles[2], child=roles[3],
direct=True).delete()
assert RoleParenting.objects.filter(direct=True).count() == 4
assert RoleParenting.objects.filter(direct=False).count() == 2
# test that it works with cycles
RoleParenting.objects.create(parent=roles[2], child=roles[3])
RoleParenting.objects.create(parent=roles[5], child=roles[0])
for role in roles[:6]:
assert role.children().count() == 6
assert role.parents().count() == 6
def create_default_ou(app_config, verbosity=2, interactive=True,
using=DEFAULT_DB_ALIAS, **kwargs):
if not router.allow_migrate(using, get_ou_model()):
return
# be sure new objects names are localized using the default locale
with override(settings.LANGUAGE_CODE):
OrganizationalUnit = get_ou_model()
if OrganizationalUnit.objects.exists():
return
# Create a default OU if none exists currently
default_ou, created = OrganizationalUnit.objects.get_or_create(
slug='default',
defaults={
'default': True,
'name': _('Default organizational unit'),
})
# Update all existing models having an ou field to the default ou
for app in apps.get_app_configs():
for model in app.get_models():
related_model = get_fk_model(model, 'ou')
if not related_model == OrganizationalUnit:
return
model.objects.filter(ou__isnull=True).update(ou=default_ou)
class OrganizationalUnitDetailView(views.BaseDetailView):
model = get_ou_model()
permissions = ['a2_rbac.view_organizationalunit']
form_class = forms.OUEditForm
template_name = 'authentic2/manager/ou_detail.html'
@property
def title(self):
return unicode(self.object)
def authorize(self, request, *args, **kwargs):
super(OrganizationalUnitDetailView,
self).authorize(request, *args, **kwargs)
self.can_delete = self.can_delete and not self.object.default
def populate_user_ou(self, user, dn, conn, block, attributes):
'''Assign LDAP user to an ou, the default one if ou_slug setting is
None'''
ou_slug = block['ou_slug']
OU = get_ou_model()
if ou_slug:
ou_slug = unicode(ou_slug)
try:
user.ou = OU.objects.get(slug=ou_slug)
except OU.DoesNotExist:
raise ImproperlyConfigured('ou_slug value is wrong for ldap %r',
block['url'])
else:
user.ou = get_default_ou()
def update_ous_admin_roles():
'''Create general admin roles linked to all organizational units,
they give general administrative rights to all mamanged content types
scoped to the given organizational unit.
'''
Role = get_role_model()
Permission = get_permission_model()
OU = get_ou_model()
ou_all = OU.objects.all()
if len(ou_all) < 2:
# If there is no ou or less than two, only generate global management
# roles
return
for ou in ou_all:
update_ou_admin_roles(ou)
def create_default_permissions(app_config,
verbosity=2,
interactive=True,
using=DEFAULT_DB_ALIAS,
**kwargs):
from .models import CHANGE_PASSWORD_OP, RESET_PASSWORD_OP, ACTIVATE_OP, CHANGE_EMAIL_OP
if not router.allow_migrate(using, get_ou_model()):
return
with override(settings.LANGUAGE_CODE):
get_operation(CHANGE_PASSWORD_OP)
get_operation(RESET_PASSWORD_OP)
get_operation(ACTIVATE_OP)
get_operation(CHANGE_EMAIL_OP)
class ChoosePermissionForm(CssClass, forms.Form):
operation = forms.ModelChoiceField(required=False,
label=_('Operation'),
queryset=Operation.objects)
ou = forms.ModelChoiceField(label=_('Organizational unit'),
queryset=get_ou_model().objects,
required=False)
target = forms.ModelChoiceField(label=_('Target object'),
required=False,
queryset=ContentType.objects)
action = forms.CharField(initial='add',
required=False,
widget=forms.HiddenInput)
permission = forms.ModelChoiceField(
queryset=get_permission_model().objects,
required=False,
widget=forms.HiddenInput)
def get_queryset(self):
qs = super(RolesMixin, self).get_queryset()
qs = qs.select_related("ou")
Permission = get_permission_model()
permission_ct = ContentType.objects.get_for_model(Permission)
ct_ct = ContentType.objects.get_for_model(ContentType)
ou_ct = ContentType.objects.get_for_model(get_ou_model())
permission_qs = Permission.objects.filter(target_ct_id__in=[ct_ct.id, ou_ct.id]).values_list("id", flat=True)
# only non role-admin roles, they are accessed through the
# RoleManager views
if not self.admin_roles:
qs = qs.filter(
Q(admin_scope_ct__isnull=True) | Q(admin_scope_ct=permission_ct, admin_scope_id__in=permission_qs)
)
if not self.service_roles:
qs = qs.filter(service__isnull=True)
return qs
def get_search_ou_perm(ou=None):
if ou:
Permission = rbac_utils.get_permission_model()
view_ou_perm, created = Permission.objects.get_or_create(
operation=rbac_utils.get_operation(SEARCH_OP),
target_ct=ContentType.objects.get_for_model(ou),
target_id=ou.pk,
ou__isnull=True)
else:
OU = rbac_utils.get_ou_model()
Permission = rbac_utils.get_permission_model()
view_ou_perm, created = Permission.objects.get_or_create(
operation=rbac_utils.get_operation(SEARCH_OP),
target_ct=ContentType.objects.get_for_model(ContentType),
target_id=ContentType.objects.get_for_model(OU).pk,
ou__isnull=True)
return view_ou_perm
def test_manager_create_role(superuser_or_admin, app):
# clear cache from previous runs
from authentic2.manager.utils import get_ou_count
get_ou_count.cache.cache = {}
Role = get_role_model()
OU = get_ou_model()
non_admin_roles = Role.objects.exclude(slug__startswith='_')
ou_add = login(app, superuser_or_admin, reverse('a2-manager-role-add'))
form = ou_add.form
assert 'name' in form.fields
assert 'description' in form.fields
assert 'ou' not in form.fields
form.set('name', 'New role')
response = form.submit().follow()
assert non_admin_roles.count() == 1
role = non_admin_roles.get()
assert response.request.path == reverse('a2-manager-role-members',
kwargs={'pk': role.pk})
role_list = app.get(reverse('a2-manager-roles'))
assert 'New role' in role_list
# Test slug collision
non_admin_roles.update(name='Old role')
response = form.submit().follow()
role_list = app.get(reverse('a2-manager-roles'))
assert 'New role' in role_list
assert 'Old role' in role_list
assert non_admin_roles.count() == 2
assert non_admin_roles.get(name='New role').slug == 'new-role1'
assert non_admin_roles.get(name='Old role').slug == 'new-role'
# Test multi-ou form
OU.objects.create(name='New OU', slug='new-ou')
ou_add = app.get(reverse('a2-manager-role-add'))
form = ou_add.form
assert 'name' in form.fields
assert 'description' in form.fields
assert 'ou' in form.fields
options = [o[2] for o in form.fields['ou'][0].options]
assert len(options) == 3
assert '---------' in options
assert 'New OU' in options
class OrganizationalUnitDeleteView(views.BaseDeleteView):
model = get_ou_model()
template_name = 'authentic2/manager/ou_delete.html'
permissions = ['a2_rbac.delete_organizationalunit']
title = _('Delete organizational unit')
def dispatch(self, request, *args, **kwargs):
if self.get_object().default:
messages.warning(
request,
_('You cannot delete the default '
'organizational unit, you must first '
'set another default organiational '
'unit.'))
return self.return_ajax_response(
request, HttpResponseRedirect(self.get_success_url()))
return super(OrganizationalUnitDeleteView,
self).dispatch(request, *args, **kwargs)
def update_ous_admin_roles():
'''Create general admin roles linked to all organizational units,
they give general administrative rights to all mamanged content types
scoped to the given organizational unit.
'''
Role = get_role_model()
Permission = get_permission_model()
OU = get_ou_model()
ou_all = OU.objects.all()
if len(ou_all) < 2:
# If there is no ou or less than two, only generate global management
# roles
Role.objects.filter(slug__startswith='_a2', ou__isnull=False).delete()
Role.objects.filter(slug__startswith='_a2-managers-of-').delete()
Permission.objects.filter(roles__isnull=True).delete()
return
for ou in ou_all:
update_ou_admin_roles(ou)
def patch_authentic_user():
User = get_user_model()
OU = get_ou_model()
Role = get_role_model()
organisation_unit = OU.objects.get(default=True)
user_admin_commune = User.objects.get_or_create(
username='******')[0]
with provisionning:
role_agent_fabriques = Role(name='Agent ayant acces aux fabriques',
ou=organisation_unit)
role_agent_fabriques.save()
with open("/tmp/tmp_uuid_agent_fabriques.txt", 'w') as f:
f.write(role_agent_fabriques.uuid)
# Set role to user
role_agent_fabriques.members.add(user_admin_commune)
def register_issuer(name,
issuer=None,
openid_configuration=None,
verify=True,
timeout=None,
ou=None):
OU = get_ou_model()
ou = OU.objects.get(default=True)
return OIDCProvider.objects.create(
name=name,
ou=ou,
issuer=issuer,
strategy='create',
authorization_endpoint=openid_configuration[
'authorization_endpoint'],
token_endpoint=openid_configuration['token_endpoint'],
userinfo_endpoint=openid_configuration['userinfo_endpoint'],
end_session_endpoint=openid_configuration['end_session_endpoint'])
def test_manager_create_ou(superuser_or_admin, app):
OU = get_ou_model()
ou_add = login(app, superuser_or_admin, path=reverse('a2-manager-ou-add'))
form = ou_add.form
form.set('name', 'New OU')
response = form.submit().follow()
assert 'New OU' in response
assert OU.objects.count() == 2
assert OU.objects.get(name='New OU').slug == 'new-ou'
# Test slug collision
OU.objects.filter(name='New OU').update(name='Old OU')
response = form.submit().follow()
assert 'Old OU' in response
assert 'New OU' in response
assert OU.objects.get(name='Old OU').slug == 'new-ou'
assert OU.objects.get(name='New OU').slug == 'new-ou1'
assert OU.objects.count() == 3
def get_queryset(self):
qs = super(RolesMixin, self).get_queryset()
qs = qs.select_related('ou')
Permission = get_permission_model()
permission_ct = ContentType.objects.get_for_model(Permission)
ct_ct = ContentType.objects.get_for_model(ContentType)
ou_ct = ContentType.objects.get_for_model(get_ou_model())
permission_qs = Permission.objects.filter(target_ct_id__in=[ct_ct.id, ou_ct.id]) \
.values_list('id', flat=True)
# only non role-admin roles, they are accessed through the
# RoleManager views
if not self.admin_roles:
qs = qs.filter(
Q(admin_scope_ct__isnull=True)
| Q(admin_scope_ct=permission_ct,
admin_scope_id__in=permission_qs))
if not self.service_roles:
qs = qs.filter(service__isnull=True)
return qs
class AddLibertyProviderFromUrlForm(forms.Form):
name = forms.CharField(max_length=140, label=_('Name'))
slug = forms.SlugField(max_length=140, label=_('Shortcut'),
help_text=_("Internal nickname for the service provider"))
url = forms.URLField(label=_("Metadata's URL"))
ou = forms.ModelChoiceField(queryset=get_ou_model().objects, initial=get_default_ou,
label=_('Organizational unit'))
def clean(self):
cleaned_data = super(AddLibertyProviderFromUrlForm, self).clean()
name = cleaned_data.get('name')
slug = cleaned_data.get('slug')
url = cleaned_data.get('url')
ou = cleaned_data.get('ou')
self.instance = None
self.childs = []
if name and slug and url:
try:
response = requests.get(url)
response.raise_for_status()
content = response.content
except requests.RequestException, e:
raise ValidationError(_('Retrieval of %(url)s failed: %(exception)s') % {
'url': url,
'exception': e
})
root = ET.fromstring(content)
if root.tag != '{%s}EntityDescriptor' % lasso.SAML2_METADATA_HREF:
raise ValidationError(_('Invalid SAML metadata: %s')
% _('missing EntityDescriptor tag'))
is_sp = not root.find('{%s}SPSSODescriptor' % lasso.SAML2_METADATA_HREF) is None
if not is_sp:
raise ValidationError(_('Invalid SAML metadata: %s')
% _('missing SPSSODescriptor tags'))
liberty_provider = LibertyProvider(name=name, slug=slug, metadata=content,
metadata_url=url, ou=ou)
liberty_provider.full_clean(exclude=('entity_id', 'protocol_conformance'))
self.childs.append(LibertyServiceProvider(
liberty_provider=liberty_provider,
enabled=True))
self.instance = liberty_provider
return cleaned_data
def get_form_kwargs(self, **kwargs):
'''Initialize mail from token'''
kwargs = super(RegistrationCompletionView,
self).get_form_kwargs(**kwargs)
if 'ou' in self.token:
OU = get_ou_model()
ou = get_object_or_404(OU, id=self.token['ou'])
else:
ou = get_default_ou()
attributes = {'email': self.email, 'ou': ou}
for key in self.token:
if key in app_settings.A2_PRE_REGISTRATION_FIELDS:
attributes[key] = self.token[key]
logger.debug(u'attributes %s', attributes)
prefilling_list = utils.accumulate_from_backends(
self.request, 'registration_form_prefill')
logger.debug(u'prefilling_list %s', prefilling_list)
# Build a single meaningful prefilling with sets of values
prefilling = {}
for p in prefilling_list:
for name, values in p.items():
if name in self.fields:
prefilling.setdefault(name, set()).update(values)
logger.debug(u'prefilling %s', prefilling)
for name, values in prefilling.items():
attributes[name] = ' '.join(values)
logger.debug(u'attributes with prefilling %s', attributes)
if self.token.get('user_id'):
kwargs['instance'] = User.objects.get(id=self.token.get('user_id'))
else:
init_kwargs = {}
for key in ('email', 'first_name', 'last_name', 'ou'):
if key in attributes:
init_kwargs[key] = attributes[key]
kwargs['instance'] = get_user_model()(**init_kwargs)
return kwargs
def test_manager_stress_create_user(superuser_or_admin, app, mailoutbox):
User = get_user_model()
OU = get_ou_model()
new_ou = OU.objects.create(name='new ou', slug='new-ou')
url = reverse('a2-manager-user-add', kwargs={'ou_pk': new_ou.pk})
# create first user with [email protected] ou OU1 : OK
assert len(mailoutbox) == 0
assert User.objects.filter(ou_id=new_ou.id).count() == 0
for i in range(100):
ou_add = login(app, superuser_or_admin, url)
form = ou_add.form
form.set('first_name', 'John')
form.set('last_name', 'Doe')
form.set('email', '*****@*****.**')
form.set('password1', 'ABcd1234')
form.set('password2', 'ABcd1234')
form.submit().follow()
app.get('/logout/').form.submit()
assert User.objects.filter(ou_id=new_ou.id).count() == 100
assert len(mailoutbox) == 100
def test_custom_ou(settings, client):
OU = get_ou_model()
ou = OU.objects.create(name='test', slug='test')
settings.LDAP_AUTH_SETTINGS = [{
'url': [slapd.ldapi_url],
'basedn': 'o=orga',
'use_tls': False,
'ou_slug': 'test',
}]
result = client.post('/login/', {'login-password-submit': '1',
'username': '******',
'password': '******'}, follow=True)
assert result.status_code == 200
assert 'id="user"' in str(result)
assert 'Étienne Michu' in str(result)
User = get_user_model()
assert User.objects.count() == 1
user = User.objects.get()
assert user.username == u'etienne.michu@ldap'
assert user.first_name == u'Étienne'
assert user.last_name == u'Michu'
assert user.ou == ou
assert not user.check_password('pass')
def get_by_natural_key(self, slug, ou_natural_key, service_natural_key):
kwargs = {'slug': slug}
if ou_natural_key is None:
kwargs['ou__isnull'] = True
else:
OU = rbac_utils.get_ou_model()
try:
ou = OU.objects.get_by_natural_key(*ou_natural_key)
except OU.DoesNotExist:
raise self.model.DoesNotExist
kwargs['ou'] = ou
if service_natural_key is None:
kwargs['service__isnull'] = True
else:
# XXX: prevent an import loop
from authentic2.models import Service
try:
service = Service.objects.get_by_natural_key(*service_natural_key)
except Service.DoesNotExist:
raise self.model.DoesNotExist
kwargs['service'] = service
return self.get(**kwargs)
def permissions(self):
""" Update permissions (delete everything then create)
"""
created, deleted = [], []
for perm in self._obj.permissions.all():
perm.delete()
deleted.append(perm)
self._obj.permissions.clear()
if self._permissions:
for perm in self._permissions:
op = Operation.objects.get_by_natural_key_json(
perm['operation'])
ou = get_ou_model().objects.get_by_natural_key_json(
perm['ou']) if perm['ou'] else None
ct = ContentType.objects.get_by_natural_key_json(
perm['target_ct'])
target = ct.model_class().objects.get_by_natural_key_json(
perm['target'])
perm = get_permission_model().objects.create(
operation=op, ou=ou, target_ct=ct, target_id=target.pk)
self._obj.permissions.add(perm)
created.append(perm)
return created, deleted
def setUp(self):
User = get_user_model()
Role = get_role_model()
OU = get_ou_model()
ct_user = ContentType.objects.get_for_model(User)
self.ou = OU.objects.create(slug='ou', name='OU', email_is_unique=True,
username_is_unique=True)
self.reguser1 = User.objects.create(username='******')
self.reguser1.set_password('password')
self.reguser1.save()
cred = '%s:%s' % (self.reguser1.username.encode('utf-8'), 'password')
self.reguser1_cred = base64.b64encode(cred)
self.user_admin_role = Role.objects.get_admin_role(
instance=ct_user, name='user admin', slug='user-admin')
self.reguser1.roles.add(self.user_admin_role)
self.reguser2 = User.objects.create(username='******',
password='******')
self.reguser2.set_password('password')
self.reguser2.save()
cred = '%s:%s' % (self.reguser2.username.encode('utf-8'), 'password')
self.reguser2_cred = base64.b64encode(cred)
self.ou_user_admin_role = Role.objects.get_admin_role(
instance=ct_user, name='user admin', slug='user-admin',
ou=self.ou)
self.ou_user_admin_role.members.add(self.reguser2)
self.reguser3 = User.objects.create(username='******',
password='******',
is_superuser=True)
self.reguser3.set_password('password')
self.reguser3.save()
cred = '%s:%s' % (self.reguser3.username.encode('utf-8'), 'password')
self.reguser3_cred = base64.b64encode(cred)
def create_authentic_user():
User = get_user_model()
OU = get_ou_model()
Role = get_role_model()
organisation_unit = OU.objects.get(default=True)
with provisionning:
# create default role in ts2.
try:
role_agent_fabriques = Role.objects.get(
name='Agent ayant acces aux fabriques')
except ObjectDoesNotExist:
role_agent_fabriques = Role(name='Agent ayant acces aux fabriques',
ou=organisation_unit)
role_agent_fabriques.save()
try:
role_agent_traitant_pop = Role.objects.get(
name='Agents traitants - Population, etat civil')
except ObjectDoesNotExist:
role_agent_traitant_pop = Role(
name='Agents traitants - Population, etat civil',
ou=organisation_unit)
role_agent_traitant_pop.save()
try:
role_agent_traitant_trav = Role.objects.get(
name='Agents traitants - Travaux')
except ObjectDoesNotExist:
role_agent_traitant_trav = Role(name='Agents traitants - Travaux',
ou=organisation_unit)
role_agent_traitant_trav.save()
try:
role_citoyen_test = Role.objects.get(name='Citoyen (test)')
except ObjectDoesNotExist:
role_citoyen_test = Role(name='Citoyen (test)',
ou=organisation_unit)
role_citoyen_test.save()
try:
role_debug = Role.objects.get(name='Debug')
except ObjectDoesNotExist:
role_debug = Role(name='Debug', ou=organisation_unit)
role_debug.save()
with open("/tmp/tmp_uuid_agent_fabriques.txt", 'w') as f:
f.write(role_agent_fabriques.uuid)
f.close()
with open("/tmp/tmp_uuid_agent_traitant_pop.txt", 'w') as f:
f.write(role_agent_traitant_pop.uuid)
f.close()
with open("/tmp/tmp_uuid_agent_traitant_trav.txt", 'w') as f:
f.write(role_agent_traitant_trav.uuid)
f.close()
with open("/tmp/tmp_uuid_citoyen_test.txt", 'w') as f:
f.write(role_citoyen_test.uuid)
f.close()
with open("/tmp/tmp_uuid_debug.txt", 'w') as f:
f.write(role_debug.uuid)
f.close()
user_admin = User.objects.get(username='******')
role_debug.members.add(user_admin)
def __init__(self, *args, **kwargs):
super(HideOUFieldMixin, self).__init__(*args, **kwargs)
OU = get_ou_model()
if OU.objects.count() < 2:
del self.fields['ou']
def update_rbac_on_ou_post_delete(sender, instance, **kwargs):
from .management import update_ou_admin_roles, update_ous_admin_roles, \
update_content_types_roles
if get_ou_model().objects.count() < 2:
update_ous_admin_roles()
def get_table(self, **kwargs):
OU = get_ou_model()
if OU.objects.count() < 2:
kwargs['exclude'] = ['ou']
return super(HideOUColumnMixin, self).get_table(**kwargs)
def test_api_users_create_email_is_unique(settings, app, superuser):
from django.contrib.auth import get_user_model
User = get_user_model()
OU = get_ou_model()
ou1 = OU.objects.create(name='OU1', slug='ou1')
ou2 = OU.objects.create(name='OU2', slug='ou2', email_is_unique=True)
app.authorization = ('Basic', (superuser.username, superuser.username))
# test missing first_name
payload = {
'ou': 'ou1',
'first_name': 'John',
'last_name': 'Doe',
'email': '*****@*****.**',
}
assert User.objects.filter(ou=ou1).count() == 0
assert User.objects.filter(ou=ou2).count() == 0
app.post_json('/api/users/', params=payload)
assert User.objects.filter(ou=ou1).count() == 1
app.post_json('/api/users/', params=payload)
assert User.objects.filter(ou=ou1).count() == 2
payload['ou'] = 'ou2'
app.post_json('/api/users/', params=payload)
assert User.objects.filter(ou=ou2).count() == 1
resp = app.post_json('/api/users/', params=payload, status=400)
assert User.objects.filter(ou=ou2).count() == 1
assert resp.json['result'] == 0
assert resp.json['errors']['email']
settings.A2_EMAIL_IS_UNIQUE = True
User.objects.filter(ou=ou1).delete()
assert User.objects.filter(ou=ou1).count() == 0
payload['ou'] = 'ou1'
app.post_json('/api/users/', params=payload, status=400)
assert User.objects.filter(ou=ou1).count() == 0
assert resp.json['result'] == 0
assert resp.json['errors']['email']
payload['email'] = '*****@*****.**'
resp = app.post_json('/api/users/', params=payload)
uuid = resp.json['uuid']
app.patch_json('/api/users/%s/' % uuid, params={'email': '*****@*****.**'})
resp = app.patch_json('/api/users/%s/' % uuid, params={'email': '*****@*****.**'},
status=400)
assert resp.json['result'] == 0
assert resp.json['errors']['email']
settings.A2_EMAIL_IS_UNIQUE = False
payload['ou'] = 'ou2'
payload['email'] = '*****@*****.**'
resp = app.post_json('/api/users/', params=payload)
assert User.objects.filter(ou=ou2).count() == 2
uuid = resp.json['uuid']
resp = app.patch_json('/api/users/%s/' % uuid, params={'email': '*****@*****.**'},
status=400)
assert resp.json['result'] == 0
assert resp.json['errors']['email']
# -*- coding: utf-8 -*-
import re
from django.contrib.auth import get_user_model
from django_rbac.utils import get_role_model, get_ou_model
from django_rbac.models import VIEW_OP
from django.test import Client
from django.core import mail
from lxml import html
from authentic2.tests import Authentic2TestCase as TestCase, get_response_form
User = get_user_model()
Role = get_role_model()
OU = get_ou_model()
class ManagerRBACTestCase(TestCase):
def setUp(self):
self.ou1 = OU.objects.create(name="ou1")
self.ou2 = OU.objects.create(name="ou2")
self.ou1_u1 = User.objects.create(username="******", ou=self.ou1)
self.ou1_u1.set_password("u1")
self.ou1_u1.save()
self.ou1_u2 = User.objects.create(username="******", ou=self.ou1)
self.ou1_u2.set_password("u2")
self.ou1_u2.save()
self.ou2_u1 = User.objects.create(username="******", ou=self.ou2)
self.ou2_u1.set_password("u1")
self.ou2_u1.save()
