def test_enforce_groups(pre_existing, regular_should_be, external_should_be, groups, expected, backend_hg): # TODO: anderson: adding backend_hg fixture so it sets up the database # for when running this file alone _delete_all_user_groups() user = User.get_by_username(TEST_USER_REGULAR_LOGIN) for gr in pre_existing: gr = fixture.create_user_group(gr) Session().commit() # make sure use is just in those groups for gr in regular_should_be: gr = fixture.create_user_group(gr) Session().commit() UserGroupModel().add_user_to_group(gr, user) Session().commit() # now special external groups created by auth plugins for gr in external_should_be: gr = fixture.create_user_group( gr, user_group_data={'extern_type': 'container'}) Session().commit() UserGroupModel().add_user_to_group(gr, user) Session().commit() UserGroupModel().enforce_groups(user, groups, 'container') Session().commit() user = User.get_by_username(TEST_USER_REGULAR_LOGIN) in_groups = user.group_member expected.sort() assert (expected == sorted(x.users_group.users_group_name for x in in_groups))
def test_set_users_as_members_and_find_user_in_group(user_util, user_regular, user_admin): user_group = user_util.create_user_group() assert len(user_group.members) == 0 user_list = [user_regular.user_id, user_admin.user_id] UserGroupModel()._set_users_as_members(user_group, user_list) assert len(user_group.members) == 2 assert UserGroupModel()._find_user_in_group(user_regular, user_group)
def test_add_and_remove_user_from_group(user_regular, user_util): user_group = user_util.create_user_group() assert user_group.members == [] UserGroupModel().add_user_to_group(user_group, user_regular) Session().commit() assert user_group.members[0].user == user_regular UserGroupModel().remove_user_from_group(user_group, user_regular) Session().commit() assert user_group.members == []
def test_get_added_and_removed_users(): members = _create_test_members() mock_user_group = mock.Mock() mock_user_group.members = [members[0], members[1]] new_users_list = [members[1].user.user_id, members[2].user.user_id] model = UserGroupModel() added, removed = model._get_added_and_removed_user_ids( mock_user_group, new_users_list) assert added == [members[2].user.user_id] assert removed == [members[0].user.user_id]
def get_user_groups(request, apiuser): """ Lists all the existing user groups within RhodeCode. This command can only be run using an |authtoken| with admin rights to the specified repository. This command takes the following options: :param apiuser: This is filled automatically from the |authtoken|. :type apiuser: AuthUser Example error output: .. code-block:: bash id : <id_given_in_input> result : [<user_group_obj>,...] error : null """ include_secrets = has_superadmin_permission(apiuser) result = [] _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',) extras = {'user': apiuser} for user_group in UserGroupList(UserGroupModel().get_all(), perm_set=_perms, extra_kwargs=extras): result.append( user_group.get_api_data(include_secrets=include_secrets)) return result
def test_api_create_user_group_regular_user(self): group_name = 'some_new_group' usr = UserModel().get_by_username(self.TEST_USER_LOGIN) usr.inherit_default_permissions = False Session().add(usr) UserModel().grant_perm(self.TEST_USER_LOGIN, 'hg.usergroup.create.true') Session().commit() id_, params = build_data(self.apikey_regular, 'create_user_group', group_name=group_name) response = api_call(self.app, params) expected = { 'msg': 'created new user group `%s`' % (group_name, ), 'user_group': jsonify(UserGroupModel().get_by_name(group_name).get_api_data()) } try: assert_ok(id_, expected, given=response.body) finally: self.fixture.destroy_user_group(group_name) UserModel().revoke_perm(self.TEST_USER_LOGIN, 'hg.usergroup.create.true') usr = UserModel().get_by_username(self.TEST_USER_LOGIN) usr.inherit_default_permissions = True Session().add(usr) Session().commit()
def test_api_grant_user_group_permission_to_user_group( self, name, perm, user_util): group = user_util.create_user_group() target_group = user_util.create_user_group() id_, params = build_data( self.apikey, 'grant_user_group_permission_to_user_group', usergroupid=target_group.users_group_name, sourceusergroupid=group.users_group_name, perm=perm) response = api_call(self.app, params) expected = { 'msg': ( 'Granted perm: `%s` for user group: `%s`' ' in user group: `%s`' % ( perm, group.users_group_name, target_group.users_group_name ) ), 'success': True } try: assert_ok(id_, expected, given=response.body) finally: UserGroupModel().revoke_user_group_permission( target_group.users_group_id, group.users_group_id)
def update_perms(self, user_group_id): """ grant permission for given usergroup :param user_group_id: """ user_group_id = safe_int(user_group_id) c.user_group = UserGroup.get_or_404(user_group_id) form = UserGroupPermsForm()().to_python(request.POST) if not c.rhodecode_user.is_admin: if self._revoke_perms_on_yourself(form): msg = _('Cannot change permission for yourself as admin') h.flash(msg, category='warning') return redirect( url('edit_user_group_perms', user_group_id=user_group_id)) try: UserGroupModel().update_permissions(user_group_id, form['perm_additions'], form['perm_updates'], form['perm_deletions']) except RepoGroupAssignmentError: h.flash(_('Target group cannot be the same'), category='error') return redirect( url('edit_user_group_perms', user_group_id=user_group_id)) #TODO: implement this #action_logger(c.rhodecode_user, 'admin_changed_repo_permissions', # repo_name, self.ip_addr, self.sa) Session().commit() h.flash(_('User Group permissions updated'), category='success') return redirect( url('edit_user_group_perms', user_group_id=user_group_id))
def test_cached_perms_data_user_group_global_permissions_(user_util): user, user_group = user_util.create_user_with_group() granted_permission = 'repository.write' UserGroupModel().grant_perm(user_group, granted_permission) permissions = get_permissions(user) assert granted_permission in permissions['global']
def grant_user_permission_to_user_group( request, apiuser, usergroupid, userid, perm): """ Set permissions for a user in a user group. :param apiuser: This is filled automatically from the |authtoken|. :type apiuser: AuthUser :param usergroupid: Set the user group to edit permissions on. :type usergroupid: str or int :param userid: Set the user from whom you wish to set permissions. :type userid: str :param perm: (usergroup.(none|read|write|admin)) :type perm: str Example output: .. code-block:: bash id : <id_given_in_input> result : { "msg": "Granted perm: `<perm_name>` for user: `<username>` in user group: `<user_group_name>`", "success": true } error : null """ user_group = get_user_group_or_error(usergroupid) if not has_superadmin_permission(apiuser): # check if we have admin permission for this user group ! _perms = ('usergroup.admin',) if not HasUserGroupPermissionAnyApi(*_perms)( user=apiuser, user_group_name=user_group.users_group_name): raise JSONRPCError( 'user group `%s` does not exist' % (usergroupid,)) user = get_user_or_error(userid) perm = get_perm_or_error(perm, prefix='usergroup.') try: UserGroupModel().grant_user_permission( user_group=user_group, user=user, perm=perm) Session().commit() return { 'msg': 'Granted perm: `%s` for user: `%s` in user group: `%s`' % ( perm.permission_name, user.username, user_group.users_group_name ), 'success': True } except Exception: log.exception("Error occurred during editing permissions " "for user in user group") raise JSONRPCError( 'failed to edit permission for user: '******'`%s` in user group: `%s`' % ( userid, user_group.users_group_name))
def test_cached_perms_data_user_group_permissions_explicit( user_util, backend_random): user = user_util.create_user() user_group = user_util.create_user_group() UserGroupModel().grant_user_permission(user_group, user, 'usergroup.none') permissions = get_permissions(user, explicit=True) assert permissions['user_groups'][user_group.users_group_name] == \ 'usergroup.none'
def remove_user_from_user_group(request, apiuser, usergroupid, userid): """ Removes a user from a user group. * If the specified user is not in the group, this command will return `false`. This command can only be run using an |authtoken| with admin rights to the specified user group. :param apiuser: This is filled automatically from the |authtoken|. :type apiuser: AuthUser :param usergroupid: Sets the user group name. :type usergroupid: str or int :param userid: The user you wish to remove from |RCE|. :type userid: str or int Example output: .. code-block:: bash id : <id_given_in_input> result: { "success": True|False, # depends on if member is in group "msg": "removed member <username> from user group <groupname> | User wasn't in group" } error: null """ user = get_user_or_error(userid) user_group = get_user_group_or_error(usergroupid) if not has_superadmin_permission(apiuser): # check if we have admin permission for this user group ! _perms = ('usergroup.admin',) if not HasUserGroupPermissionAnyApi(*_perms)( user=apiuser, user_group_name=user_group.users_group_name): raise JSONRPCError( 'user group `%s` does not exist' % (usergroupid,)) try: success = UserGroupModel().remove_user_from_group(user_group, user) msg = 'removed member `%s` from user group `%s`' % ( user.username, user_group.users_group_name ) msg = msg if success else "User wasn't in group" Session().commit() return {'success': success, 'msg': msg} except Exception: log.exception("Error occurred during removing an member from user group") raise JSONRPCError( 'failed to remove member from user group `%s`' % ( user_group.users_group_name, ) )
def test_user_delete_cascades_permissions_on_user_group( test_user_group, test_user): UserGroupModel().grant_user_permission(test_user_group, test_user, 'usergroup.write') Session().commit() assert test_user.user_group_to_perm Session().delete(test_user) Session().commit()
def revoke_user_permission_from_user_group( request, apiuser, usergroupid, userid): """ Revoke a users permissions in a user group. :param apiuser: This is filled automatically from the |authtoken|. :type apiuser: AuthUser :param usergroupid: Set the user group from which to revoke the user permissions. :type: usergroupid: str or int :param userid: Set the userid of the user whose permissions will be revoked. :type userid: str Example output: .. code-block:: bash id : <id_given_in_input> result : { "msg": "Revoked perm for user: `<username>` in user group: `<user_group_name>`", "success": true } error : null """ user_group = get_user_group_or_error(usergroupid) if not has_superadmin_permission(apiuser): # check if we have admin permission for this user group ! _perms = ('usergroup.admin',) if not HasUserGroupPermissionAnyApi(*_perms)( user=apiuser, user_group_name=user_group.users_group_name): raise JSONRPCError( 'user group `%s` does not exist' % (usergroupid,)) user = get_user_or_error(userid) try: UserGroupModel().revoke_user_permission( user_group=user_group, user=user) Session().commit() return { 'msg': 'Revoked perm for user: `%s` in user group: `%s`' % ( user.username, user_group.users_group_name ), 'success': True } except Exception: log.exception("Error occurred during editing permissions " "for user in user group") raise JSONRPCError( 'failed to edit permission for user: `%s` in user group: `%s`' % (userid, user_group.users_group_name))
def test_ValidUserGroup(): validator = v.ValidUserGroup() pytest.raises(formencode.Invalid, validator.to_python, 'default') pytest.raises(formencode.Invalid, validator.to_python, '.,') gr = fixture.create_user_group('test') gr2 = fixture.create_user_group('tes2') Session().commit() pytest.raises(formencode.Invalid, validator.to_python, 'test') assert gr.users_group_id is not None validator = v.ValidUserGroup( edit=True, old_data={'users_group_id': gr2.users_group_id}) pytest.raises(formencode.Invalid, validator.to_python, 'test') pytest.raises(formencode.Invalid, validator.to_python, 'TesT') pytest.raises(formencode.Invalid, validator.to_python, 'TEST') UserGroupModel().delete(gr) UserGroupModel().delete(gr2) Session().commit()
def get_user_group_or_error(usergroupid): """ Get user group by id or name or return JsonRPCError if not found :param usergroupid: """ from rhodecode.model.user_group import UserGroupModel user_group = UserGroupModel().get_group(usergroupid) if user_group is None: raise JSONRPCError('user group `%s` does not exist' % (usergroupid, )) return user_group
def test_repo_group_user_as_user_group_member(self): # create Group1 self.g1 = fixture.create_repo_group('group1', skip_if_exists=True) assert group_perms(self.anon) == {u'group1': u'group.read'} # set default permission to none RepoGroupModel().grant_user_permission(repo_group=self.g1, user=self.anon, perm='group.none') # make group self.ug1 = fixture.create_user_group('G1') # add user to group UserGroupModel().add_user_to_group(self.ug1, self.u1) Session().commit() # check if user is in the group ug1 = UserGroupModel().get(self.ug1.users_group_id) members = [x.user_id for x in ug1.members] assert members == [self.u1.user_id] # add some user to that group # check his permissions assert group_perms(self.anon) == {u'group1': u'group.none'} assert group_perms(self.u1) == {u'group1': u'group.none'} # grant ug1 read permissions for RepoGroupModel().grant_user_group_permission(repo_group=self.g1, group_name=self.ug1, perm='group.read') Session().commit() # check if the obj = Session().query(UserGroupRepoGroupToPerm)\ .filter(UserGroupRepoGroupToPerm.group == self.g1)\ .filter(UserGroupRepoGroupToPerm.users_group == self.ug1)\ .scalar() assert obj.permission.permission_name == 'group.read' assert group_perms(self.anon) == {u'group1': u'group.none'} assert group_perms(self.u1) == {u'group1': u'group.read'}
def test_propagated_permission_from_users_group(self, repo_name): # make group self.ug1 = fixture.create_user_group('G1') UserGroupModel().add_user_to_group(self.ug1, self.u3) # grant perm for group # this should override default permission from user new_perm_gr = 'repository.write' RepoModel().grant_user_group_permission(repo=repo_name, group_name=self.ug1, perm=new_perm_gr) assert repo_perms(self.u3)[repo_name] == new_perm_gr assert group_perms(self.u3) == {}
def update(self, user_group_id): """PUT /user_groups/user_group_id: Update an existing item""" # Forms posted to this method should contain a hidden field: # <input type="hidden" name="_method" value="PUT" /> # Or using helpers: # h.form(url('users_group', user_group_id=ID), # method='put') # url('users_group', user_group_id=ID) user_group_id = safe_int(user_group_id) c.user_group = UserGroup.get_or_404(user_group_id) c.active = 'settings' self.__load_data(user_group_id) available_members = [safe_unicode(x[0]) for x in c.available_members] users_group_form = UserGroupForm(edit=True, old_data=c.user_group.get_dict(), available_members=available_members, allow_disabled=True)() try: form_result = users_group_form.to_python(request.POST) UserGroupModel().update(c.user_group, form_result) gr = form_result['users_group_name'] action_logger(c.rhodecode_user, 'admin_updated_users_group:%s' % gr, None, self.ip_addr, self.sa) h.flash(_('Updated user group %s') % gr, category='success') Session().commit() except formencode.Invalid as errors: defaults = errors.value e = errors.error_dict or {} return htmlfill.render( render('admin/user_groups/user_group_edit.html'), defaults=defaults, errors=e, prefix_error=False, encoding="UTF-8", force_defaults=False) except Exception: log.exception("Exception during update of user group") h.flash(_('Error occurred during update of user group %s') % request.POST.get('users_group_name'), category='error') return redirect(url('edit_users_group', user_group_id=user_group_id))
def test_cached_perms_data_user_group_permissions_inherited( user_util, backend_random): user, user_group = user_util.create_user_with_group() user_group2 = user_util.create_user_group() UserGroupModel().add_user_to_group(user_group2, user) target_user_group = user_util.create_user_group() user_util.grant_user_group_permission_to_user_group( target_user_group, user_group, 'usergroup.read') user_util.grant_user_group_permission_to_user_group( target_user_group, user_group2, 'usergroup.write') permissions = get_permissions(user) assert permissions['user_groups'][target_user_group.users_group_name] == \ 'usergroup.write'
def test_create_and_remove(test_user): usr = test_user # make user group user_group = fixture.create_user_group('some_example_group') Session().commit() UserGroupModel().add_user_to_group(user_group, usr) Session().commit() assert UserGroup.get(user_group.users_group_id) == user_group assert UserGroupMember.query().count() == 1 UserModel().delete(usr.user_id) Session().commit() assert UserGroupMember.query().all() == []
def test_api_create_user_group(self): group_name = 'some_new_group' id_, params = build_data(self.apikey, 'create_user_group', group_name=group_name) response = api_call(self.app, params) ret = { 'msg': 'created new user group `%s`' % (group_name, ), 'user_group': jsonify(UserGroupModel().get_by_name(group_name).get_api_data()) } expected = ret assert_ok(id_, expected, given=response.body) self.fixture.destroy_user_group(group_name)
def create_user_group(self, name, **kwargs): if 'skip_if_exists' in kwargs: del kwargs['skip_if_exists'] gr = UserGroup.get_by_group_name(group_name=name) if gr: return gr form_data = self._get_user_group_create_params(name, **kwargs) owner = kwargs.get('cur_user', TEST_USER_ADMIN_LOGIN) user_group = UserGroupModel().create( name=form_data['users_group_name'], description=form_data['user_group_description'], owner=owner, active=form_data['users_group_active'], group_data=form_data['user_group_data']) Session().commit() user_group = UserGroup.get_by_group_name(user_group.users_group_name) return user_group
def test_cached_perms_data_repository_permissions_from_user_group( user_util, backend_random): user, user_group = user_util.create_user_with_group() # Needs a second user group to make sure that we select the right # permissions. user_group2 = user_util.create_user_group() UserGroupModel().add_user_to_group(user_group2, user) repo = backend_random.create_repo() RepoModel().grant_user_group_permission( repo, user_group.users_group_name, 'repository.read') RepoModel().grant_user_group_permission( repo, user_group2.users_group_name, 'repository.write') permissions = get_permissions(user) assert permissions['repositories'][repo.repo_name] == 'repository.write'
def test_cached_perms_data_repository_groups_permissions_inherited( user_util, backend_random): user, user_group = user_util.create_user_with_group() # Needs a second group to hit the last condition user_group2 = user_util.create_user_group() UserGroupModel().add_user_to_group(user_group2, user) repo_group = user_util.create_repo_group() user_util.grant_user_group_permission_to_repo_group( repo_group, user_group, 'group.read') user_util.grant_user_group_permission_to_repo_group( repo_group, user_group2, 'group.write') permissions = get_permissions(user) assert permissions['repositories_groups'][repo_group.group_name] == \ 'group.write'
def test_repo_owner_permissions_not_overwritten_by_group(self): # create repo as USER, self.test_repo = fixture.create_repo(name='myownrepo', repo_type='hg', cur_user=self.u1) # he has permissions of admin as owner assert repo_perms(self.u1)['myownrepo'] == 'repository.admin' # set his permission as user group, he should still be admin self.ug1 = fixture.create_user_group('G1') UserGroupModel().add_user_to_group(self.ug1, self.u1) RepoModel().grant_user_group_permission(self.test_repo, group_name=self.ug1, perm='repository.none') Session().commit() assert repo_perms(self.u1)['myownrepo'] == 'repository.admin'
def cleanup(self): if hasattr(self, 'test_repo'): RepoModel().delete(repo=self.test_repo) if hasattr(self, 'g1'): RepoGroupModel().delete(self.g1.group_id) if hasattr(self, 'g2'): RepoGroupModel().delete(self.g2.group_id) UserModel().delete(self.u1) UserModel().delete(self.u2) UserModel().delete(self.u3) UserModel().delete(self.a1) if hasattr(self, 'ug1'): UserGroupModel().delete(self.ug1, force=True) Session().commit()
def test_repo_group_owner_permissions_not_overwritten_by_group(self): # "u1" shall be owner without any special permission assigned self.g1 = fixture.create_repo_group('test1') # Make user group and grant a permission to user group self.ug1 = fixture.create_user_group('G1') UserGroupModel().add_user_to_group(self.ug1, self.u1) RepoGroupModel().grant_user_group_permission(repo_group=self.g1, group_name=self.ug1, perm='group.write') # Verify that user does not get any special permission if he is not # owner assert group_perms(self.u1) == {'test1': 'group.write'} # Make him owner of the repo group self.g1.user = self.u1 assert group_perms(self.u1) == {'test1': 'group.admin'}
def create(self): """POST /users_groups: Create a new item""" # url('users_groups') users_group_form = UserGroupForm()() try: form_result = users_group_form.to_python(dict(request.POST)) user_group = UserGroupModel().create( name=form_result['users_group_name'], description=form_result['user_group_description'], owner=c.rhodecode_user.user_id, active=form_result['users_group_active']) Session().flush() user_group_name = form_result['users_group_name'] action_logger(c.rhodecode_user, 'admin_created_users_group:%s' % user_group_name, None, self.ip_addr, self.sa) user_group_link = h.link_to( h.escape(user_group_name), url('edit_users_group', user_group_id=user_group.users_group_id)) h.flash(h.literal( _('Created user group %(user_group_link)s') % {'user_group_link': user_group_link}), category='success') Session().commit() except formencode.Invalid as errors: return htmlfill.render( render('admin/user_groups/user_group_add.html'), defaults=errors.value, errors=errors.error_dict or {}, prefix_error=False, encoding="UTF-8", force_defaults=False) except Exception: log.exception("Exception creating user group") h.flash(_('Error occurred during creation of user group %s') \ % request.POST.get('users_group_name'), category='error') return redirect( url('edit_users_group', user_group_id=user_group.users_group_id))
def test_update_members_from_user_ids(user_regular, user_util): user_group = user_util.create_user_group() assert user_group.members == [] assert user_group.user != user_regular expected_active_state = not user_group.users_group_active form_data = { 'users_group_members': str(user_regular.user_id), 'user': str(user_regular.username), 'users_group_name': 'changed_name', 'users_group_active': expected_active_state, 'user_group_description': 'changed_description' } UserGroupModel().update(user_group, form_data) assert user_group.members[0].user_id == user_regular.user_id assert user_group.user_id == user_regular.user_id assert 'changed_name' in user_group.users_group_name assert 'changed_description' in user_group.user_group_description assert user_group.users_group_active == expected_active_state # Ignore changes on the test Session().rollback()