def _new_group(self, group_id, display_name, group_name, ldap, root_password): user = identity.current.user if ldap and not user.is_admin(): flash(_(u'Only admins can create LDAP groups')) redirect('.') try: Group.by_name(group_name) except NoResultFound: pass else: flash( _(u"Group %s already exists." % group_name) ) redirect(".") group = Group() session.add(group) group.record_activity(user=user, service=u'WEBUI', field=u'Group', action=u'Created') group.display_name = display_name group.group_name = group_name group.ldap = ldap if group.ldap: group.refresh_ldap_members() group.root_password = root_password if not ldap: # LDAP groups don't have owners group.user_group_assocs.append(UserGroup(user=user, is_owner=True)) group.activity.append(GroupActivity(user, service=u'WEBUI', action=u'Added', field_name=u'User', old_value=None, new_value=user.user_name)) group.activity.append(GroupActivity(user, service=u'WEBUI', action=u'Added', field_name=u'Owner', old_value=None, new_value=user.user_name)) return group
def setUp(self): self.selenium = self.get_selenium() self.password = '******' # create users self.user_1 = data_setup.create_user(password=self.password) self.user_2 = data_setup.create_user(password=self.password) self.user_3 = data_setup.create_user(password=self.password) # create admin users self.admin_1 = data_setup.create_user(password=self.password) self.admin_1.groups.append(Group.by_name(u'admin')) self.admin_2 = data_setup.create_user(password=self.password) self.admin_2.groups.append(Group.by_name(u'admin')) # create systems self.system_1 = data_setup.create_system(shared=True) self.system_2 = data_setup.create_system(shared=True) self.system_3 = data_setup.create_system(shared=False, owner=self.user_3) # create group and add users/systems to it self.group_1 = data_setup.create_group() self.user_3.groups.append(self.group_1) self.admin_2.groups.append(self.group_1) self.system_2.groups.append(self.group_1) lc = data_setup.create_labcontroller() self.system_1.lab_controller = lc self.system_2.lab_controller = lc self.system_3.lab_controller = lc self.selenium.start()
def test_group_modify_add_member(self): with session.begin(): user = data_setup.create_user() mail_capture_thread.start_capturing() out = run_client(['bkr', 'group-modify', '--add-member', user.user_name, self.group.group_name], config = self.client_config) with session.begin(): session.refresh(self.group) group = Group.by_name(self.group.group_name) self.assert_(user.user_name in [u.user_name for u in group.users]) self.check_notification(user, group, action='Added') try: out = run_client(['bkr', 'group-modify', '--add-member', 'idontexist', self.group.group_name], config = self.client_config) self.fail('Must fail or die') except ClientError as e: self.assert_('User idontexist does not exist' in e.stderr_output, e.stderr_output) try: out = run_client(['bkr', 'group-modify', '--add-member', user.user_name, self.group.group_name], config = self.client_config) self.fail('Must fail or die') except ClientError as e: self.assert_('User %s is already a member of group %s' % (user.user_name, self.group.group_name) in e.stderr_output, e.stderr_output) with session.begin(): session.refresh(self.group) group = Group.by_name(self.group.group_name) self.assertEquals(group.activity[-1].action, u'Added') self.assertEquals(group.activity[-1].field_name, u'User') self.assertEquals(group.activity[-1].user.user_id, self.user.user_id) self.assertEquals(group.activity[-1].new_value, user.user_name) self.assertEquals(group.activity[-1].service, u'HTTP') try: out = run_client(['bkr', 'group-modify', '--add-member', user.user_name, self.fake_ldap_group.group_name]) self.fail('Must fail or die') except ClientError as e: self.assert_('Cannot edit membership of group %s' % self.fake_ldap_group.group_name in e.stderr_output,e.stderr_output)
def test_group_create(self): group_name = data_setup.unique_name(u'group%s') display_name = u'My Group' out = run_client([ 'bkr', 'group-create', '--display-name', display_name, group_name ]) self.assert_('Group created' in out, out) with session.begin(): group = Group.by_name(group_name) self.assertEquals(group.display_name, display_name) self.assertEquals(group.activity[-1].action, u'Added') self.assertEquals(group.activity[-1].field_name, u'Owner') self.assertEquals(group.activity[-1].new_value, data_setup.ADMIN_USER) self.assertEquals(group.activity[-1].service, u'HTTP') self.assertEquals(group.activity[-2].action, u'Added') self.assertEquals(group.activity[-2].field_name, u'User') self.assertEquals(group.activity[-2].new_value, data_setup.ADMIN_USER) self.assertEquals(group.activity[-2].service, u'HTTP') self.assertEquals(group.activity[-3].action, u'Created') self.assertEquals(group.activity[-3].service, u'HTTP') group_name = data_setup.unique_name(u'group%s') out = run_client(['bkr', 'group-create', group_name]) self.assert_('Group created' in out, out) with session.begin(): group = Group.by_name(group_name) self.assertEqual(group.group_name, group_name) self.assertEqual(group.display_name, group_name) group_name = data_setup.unique_name(u'group%s') try: _ = run_client(['bkr', 'group-create', group_name, group_name]) self.fail('Must fail or die') except ClientError as e: self.assert_( 'Exactly one group name must be specified' in e.stderr_output, e.stderr_output) try: _ = run_client( ['bkr', 'group-create', 'areallylonggroupname' * 20]) self.fail('Must fail or die') except ClientError as e: self.assertIn( 'Group name must be not more than 255 characters long', e.stderr_output) try: _ = run_client([ 'bkr', 'group-create', '--display-name', 'A really long group display name' * 20, 'agroup' ]) self.fail('Must fail or die') except ClientError as e: self.assertIn( 'Group display name must be not more than 255 characters long', e.stderr_output)
def create_group(): """ Creates a new user group in Beaker. The request must be :mimetype:`application/json`. :jsonparam string group_name: Symbolic name for the group. :jsonparam string display_name: Human-friendly display name for the group. :jsonparam string description: Description of the group. :jsonparam string root_password: Optional root password for group jobs. If this is not set, group jobs will use the root password preferences of the job submitter. :jsonparam string membership_type: Specifies how group membership is populated. Possible values are: * normal: Group is initially empty, members are explicitly added and removed by group owner. * ldap: Membership is populated from the LDAP group with the same group name. * inverted: Group contains all Beaker users *except* users who have been explicitly excluded by the group owner. :status 201: The group was successfully created. """ user = identity.current.user data = read_json_request(request) if 'group_name' not in data: raise BadRequest400('Missing group_name key') if 'display_name' not in data: raise BadRequest400('Missing display_name key') # for backwards compatibility if data.pop('ldap', False): data['membership_type'] = 'ldap' try: Group.by_name(data['group_name']) except NoResultFound: pass else: raise Conflict409("Group '%s' already exists" % data['group_name']) with convert_internal_errors(): group = Group.lazy_create(group_name=data['group_name']) group.display_name = data['display_name'] group.description = data.get('description') group.root_password = data.get('root_password') session.add(group) group.record_activity(user=user, service=u'HTTP', field=u'Group', action=u'Created') if data.get('membership_type'): group.membership_type = GroupMembershipType.from_string( data['membership_type']) if group.membership_type == GroupMembershipType.ldap: group.refresh_ldap_members() else: # LDAP groups don't have any owners group.add_member(user, is_owner=True, agent=identity.current.user) response = jsonify(group.__json__()) response.status_code = 201 response.headers.add('Location', absolute_url(group.href)) return response
def create_group(): """ Creates a new user group in Beaker. The request must be :mimetype:`application/json`. :jsonparam string group_name: Symbolic name for the group. :jsonparam string display_name: Human-friendly display name for the group. :jsonparam string description: Description of the group. :jsonparam string root_password: Optional root password for group jobs. If this is not set, group jobs will use the root password preferences of the job submitter. :jsonparam string membership_type: Specifies how group membership is populated. Possible values are: * normal: Group is initially empty, members are explicitly added and removed by group owner. * ldap: Membership is populated from the LDAP group with the same group name. * inverted: Group contains all Beaker users *except* users who have been explicitly excluded by the group owner. :status 201: The group was successfully created. """ user = identity.current.user data = read_json_request(request) if 'group_name' not in data: raise BadRequest400('Missing group_name key') if 'display_name' not in data: raise BadRequest400('Missing display_name key') # for backwards compatibility if data.pop('ldap', False): data['membership_type'] = 'ldap' try: Group.by_name(data['group_name']) except NoResultFound: pass else: raise Conflict409("Group '%s' already exists" % data['group_name']) with convert_internal_errors(): group = Group.lazy_create(group_name=data['group_name']) group.display_name = data['display_name'] group.description = data.get('description') group.root_password = data.get('root_password') session.add(group) group.record_activity(user=user, service=u'HTTP', field=u'Group', action=u'Created') if data.get('membership_type'): group.membership_type = GroupMembershipType.from_string( data['membership_type']) if group.membership_type == GroupMembershipType.ldap: group.refresh_ldap_members() else: # LDAP groups don't have any owners group.add_member(user, is_owner=True, agent=identity.current.user) response = jsonify(group.__json__()) response.status_code = 201 response.headers.add('Location', absolute_url(group.href)) return response
def test_remove_user_from_owning_group(self): with session.begin(): user = data_setup.create_user(password='******') group_name = data_setup.unique_name('AAAAAA%s') display_name = data_setup.unique_name('Group Display Name %s') b = self.browser login(b, user=self.user.user_name, password='******') b.get(get_server_base() + 'groups/mine') b.find_element_by_link_text('Add').click() b.find_element_by_xpath('//input[@id="Group_display_name"]').send_keys( display_name) b.find_element_by_xpath('//input[@id="Group_group_name"]').send_keys( group_name) b.find_element_by_id('Group').submit() b.find_element_by_xpath('//title[text()="My Groups"]') b.find_element_by_link_text(group_name).click() # add an user b.find_element_by_xpath( '//input[@id="GroupUser_user_text"]').send_keys(user.user_name) b.find_element_by_id('GroupUser').submit() self.mail_capture.captured_mails[:] = [] group_id = Group.by_name(group_name).group_id username = user.user_name user_id = user.user_id b.find_element_by_xpath('//td[preceding-sibling::td[2]/text()="%s"]' % username)\ .find_element_by_link_text('Remove').click() self.assertEquals( b.find_element_by_class_name('flash').text, '%s Removed' % username) with session.begin(): group = Group.by_name(group_name) self.check_notification(user, group, action='Removed') # remove self when I am the only owner of the group b.find_element_by_xpath('//td[preceding-sibling::td[2]/text()="%s"]' % self.user.user_name)\ .find_element_by_link_text('Remove').click() self.assert_('Cannot remove member' in b.find_element_by_class_name( 'flash').text) # admin should be able to remove an owner, even if only one logout(b) #login back as admin login(b) b.get(get_server_base() + 'groups/edit?group_id=%s' % group_id) b.find_element_by_xpath('//td[preceding-sibling::td[2]/text()="%s"]' % self.user.user_name)\ .find_element_by_link_text('Remove').click() self.assert_( '%s Removed' % self.user.user_name in b.find_element_by_class_name('flash').text)
def test_group_modify_grant_owner(self): with session.begin(): user1 = data_setup.create_user() self.group.add_member(user1) user2 = data_setup.create_user() self.group.add_member(user2) user3 = data_setup.create_user() out = run_client([ 'bkr', 'group-modify', '--grant-owner', user1.user_name, '--grant-owner', user2.user_name, self.group.group_name ], config=self.client_config) with session.begin(): session.refresh(self.group) group = Group.by_name(self.group.group_name) self.assert_(user1.user_id in [u.user_id for u in group.owners()]) self.assert_(user2.user_id in [u.user_id for u in group.owners()]) self.assertEquals( Activity.query.filter_by(service=u'HTTP', field_name=u'Owner', action=u'Added', new_value=user2.user_name).count(), 1) group = Group.by_name(group.group_name) self.assertEquals(group.activity[-1].action, u'Added') self.assertEquals(group.activity[-1].field_name, u'Owner') self.assertEquals(group.activity[-1].new_value, user2.user_name) self.assertEquals(group.activity[-1].service, u'HTTP') # If the user is not a group member, add the user into the members list # first and then grant the group ownership. out = run_client([ 'bkr', 'group-modify', '--grant-owner', user3.user_name, self.group.group_name ], config=self.client_config) with session.begin(): session.refresh(self.group) group = Group.by_name(self.group.group_name) self.assertIn(user3, group.users) self.assertTrue(group.has_owner(user3)) try: out = run_client([ 'bkr', 'group-modify', '--grant-owner', user3.user_name, self.fake_ldap_group.group_name ], config=self.client_config) self.fail('Must fail or die') except ClientError as e: self.assert_('Cannot edit ownership of group' in e.stderr_output, e.stderr_output)
def test_adds_existing_user_to_admin_group(self): with session.begin(): admin_group = Group.by_name(u'admin') existing_user = data_setup.create_user() self.assertNotIn(admin_group, existing_user.groups) populate_db(user_name=existing_user.user_name) with session.begin(): admin_group = Group.by_name(u'admin') existing_user = User.query.get(existing_user.user_id) self.assertIn(admin_group, existing_user.groups) # run the same thing again, should have no effect but should not break populate_db(user_name=existing_user.user_name)
def test_adds_existing_user_to_admin_group(self): with session.begin(): admin_group = Group.by_name(u'admin') existing_user = data_setup.create_user() self.assertNotIn(admin_group, existing_user.groups) populate_db(user_name=existing_user.user_name) with session.begin(): admin_group = Group.by_name(u'admin') existing_user = User.query.get(existing_user.user_id) self.assertIn(admin_group, existing_user.groups) # run the same thing again, should have no effect but should not break populate_db(user_name=existing_user.user_name)
def test_adds_existing_user_to_admin_group(self): with session.begin(): admin_group = Group.by_name(u'admin') existing_user = data_setup.create_user() self.assertNotIn(admin_group, existing_user.groups) run_command('init.py', 'beaker-init', ['--user', existing_user.user_name]) with session.begin(): admin_group = Group.by_name(u'admin') existing_user = User.query.get(existing_user.user_id) self.assertIn(admin_group, existing_user.groups) # run the same thing again, should have no effect but should not break run_command('init.py', 'beaker-init', ['--user', existing_user.user_name])
def test_adds_existing_user_to_admin_group(self): with session.begin(): admin_group = Group.by_name(u'admin') existing_user = data_setup.create_user() self.assertNotIn(admin_group, existing_user.groups) run_command('init.py', 'beaker-init', ['--user', existing_user.user_name]) with session.begin(): admin_group = Group.by_name(u'admin') existing_user = User.query.get(existing_user.user_id) self.assertIn(admin_group, existing_user.groups) # run the same thing again, should have no effect but should not break run_command('init.py', 'beaker-init', ['--user', existing_user.user_name])
def test_group_modify_grant_owner(self): with session.begin(): user1 = data_setup.create_user() self.group.add_member(user1) user2 = data_setup.create_user() self.group.add_member(user2) user3 = data_setup.create_user() out = run_client(['bkr', 'group-modify', '--grant-owner', user1.user_name, '--grant-owner', user2.user_name, self.group.group_name], config = self.client_config) with session.begin(): session.refresh(self.group) group = Group.by_name(self.group.group_name) self.assert_(user1.user_id in [u.user_id for u in group.owners()]) self.assert_(user2.user_id in [u.user_id for u in group.owners()]) self.assertEquals(Activity.query.filter_by(service=u'HTTP', field_name=u'Owner', action=u'Added', new_value=user2.user_name).count(), 1) group = Group.by_name(group.group_name) self.assertEquals(group.activity[-1].action, u'Added') self.assertEquals(group.activity[-1].field_name, u'Owner') self.assertEquals(group.activity[-1].new_value, user2.user_name) self.assertEquals(group.activity[-1].service, u'HTTP') # If the user is not a group member, add the user into the members list # first and then grant the group ownership. out = run_client(['bkr', 'group-modify', '--grant-owner', user3.user_name, self.group.group_name], config = self.client_config) with session.begin(): session.refresh(self.group) group = Group.by_name(self.group.group_name) self.assertIn(user3, group.users) self.assertTrue(group.has_owner(user3)) try: out = run_client(['bkr', 'group-modify', '--grant-owner', user3.user_name, self.fake_ldap_group.group_name], config = self.client_config) self.fail('Must fail or die') except ClientError, e: self.assert_('Cannot modify group ownership')
def test_remove_user_from_owning_group(self): with session.begin(): user = data_setup.create_user(password='******') group_name = data_setup.unique_name('AAAAAA%s') display_name = data_setup.unique_name('Group Display Name %s') b = self.browser login(b, user=self.user.user_name, password='******') b.get(get_server_base() + 'groups/mine') b.find_element_by_link_text('Add').click() b.find_element_by_xpath('//input[@id="Group_display_name"]').send_keys(display_name) b.find_element_by_xpath('//input[@id="Group_group_name"]').send_keys(group_name) b.find_element_by_id('Group').submit() b.find_element_by_xpath('//title[text()="My Groups"]') b.find_element_by_link_text(group_name).click() # add an user b.find_element_by_xpath('//input[@id="GroupUser_user_text"]').send_keys(user.user_name) b.find_element_by_id('GroupUser').submit() self.mail_capture.captured_mails[:] = [] group_id = Group.by_name(group_name).group_id username = user.user_name user_id = user.user_id b.find_element_by_xpath('//td[preceding-sibling::td[2]/text()="%s"]' % username)\ .find_element_by_link_text('Remove').click() self.assertEquals(b.find_element_by_class_name('flash').text, '%s Removed' % username) with session.begin(): group = Group.by_name(group_name) self.check_notification(user, group, action='Removed') # remove self when I am the only owner of the group b.find_element_by_xpath('//td[preceding-sibling::td[2]/text()="%s"]' % self.user.user_name)\ .find_element_by_link_text('Remove').click() self.assert_('Cannot remove member' in b.find_element_by_class_name('flash').text) # admin should be able to remove an owner, even if only one logout(b) #login back as admin login(b) b.get(get_server_base() + 'groups/edit?group_id=%s' % group_id) b.find_element_by_xpath('//td[preceding-sibling::td[2]/text()="%s"]' % self.user.user_name)\ .find_element_by_link_text('Remove').click() self.assert_('%s Removed' % self.user.user_name in b.find_element_by_class_name('flash').text)
def revoke_owner(self, group_id=None, id=None, **kw): if group_id is not None and id is not None: group = Group.by_id(group_id) user = User.by_id(id) service = 'WEBUI' else: group = Group.by_name(kw['group_name']) user = User.by_user_name(kw['member_name']) service = 'XMLRPC' if group.membership_type == GroupMembershipType.ldap: raise GroupOwnerModificationForbidden('An LDAP group does not have an owner') if not group.can_edit(identity.current.user): raise GroupOwnerModificationForbidden('You are not an owner of group %s' % group) if user not in group.users: raise GroupOwnerModificationForbidden('User is not a group member') if len(group.owners())==1 and not identity.current.user.is_admin(): raise GroupOwnerModificationForbidden('Cannot remove the only owner') else: group.revoke_ownership(user=user, agent=identity.current.user, service=service) # hack to return the user removing this owner # so that if the user was logged in as a group # owner, he/she can be redirected appropriately return str(identity.current.user.user_id)
def test_group_modify_group_name(self): group_name = 'mynewgroup' out = run_client([ 'bkr', 'group-modify', '--group-name', group_name, self.group.group_name ], config=self.client_config) with session.begin(): session.refresh(self.group) group = Group.by_name(group_name) self.assertEquals(group.group_name, group_name) self.assertEquals(group.activity[-1].action, u'Changed') self.assertEquals(group.activity[-1].field_name, u'Name') self.assertEquals(group.activity[-1].user.user_id, self.user.user_id) self.assertEquals(group.activity[-1].new_value, group_name) self.assertEquals(group.activity[-1].service, u'XMLRPC') try: out = run_client([ 'bkr', 'group-modify', '--group-name', 'areallylonggroupname' * 20, self.group.group_name ], config=self.client_config) self.fail('Must fail or die') except ClientError, e: max_length = Group.group_name.property.columns[0].type.length self.assertRegexpMatches( e.stderr_output, 'Enter a value (less|not more) than %r characters long' % max_length)
def save_system_access_policy(fqdn): system = _get_system_by_FQDN(fqdn) if not system.can_edit_policy(identity.current.user): raise Forbidden403('Cannot edit system policy') if system.custom_access_policy: policy = system.custom_access_policy else: policy = system.custom_access_policy = SystemAccessPolicy() data = read_json_request(request) # Figure out what is added, what is removed. # Rules are immutable, so if it has an id it is unchanged, # if it has no id it is new. kept_rule_ids = frozenset(r['id'] for r in data['rules'] if 'id' in r) removed = [] for old_rule in policy.rules: if old_rule.id not in kept_rule_ids: removed.append(old_rule) for old_rule in removed: system.record_activity(user=identity.current.user, service=u'HTTP', field=u'Access Policy Rule', action=u'Removed', old=repr(old_rule)) policy.rules.remove(old_rule) for rule in data['rules']: if 'id' not in rule: user = User.by_user_name(rule['user']) if rule['user'] else None group = Group.by_name(rule['group']) if rule['group'] else None permission = SystemPermission.from_string(rule['permission']) new_rule = policy.add_rule(user=user, group=group, everybody=rule['everybody'], permission=permission) system.record_activity(user=identity.current.user, service=u'HTTP', field=u'Access Policy Rule', action=u'Added', new=repr(new_rule)) return '', 204
def test_admin_cannot_rename_protected_group(self): # See https://bugzilla.redhat.com/show_bug.cgi?id=961206 protected_group_name = u'admin' with session.begin(): group = Group.by_name(protected_group_name) expected_display_name = group.display_name # Run command as the default admin user try: out = run_client(['bkr', 'group-modify', '--group-name', 'new_admin', '--display-name', 'this is also unchanged', protected_group_name]) self.fail('Must fail or die') except ClientError as e: self.assert_('Cannot rename protected group' in e.stderr_output, e.stderr_output) # Check the whole request is ignored if the name change is rejected with session.begin(): session.refresh(group) self.assertEquals(group.group_name, protected_group_name) self.assertEquals(group.display_name, expected_display_name) # However, changing just the display name is fine new_display_name = 'Tested admin group' out = run_client(['bkr', 'group-modify', '--display-name', new_display_name, protected_group_name]) with session.begin(): session.refresh(group) self.assertEquals(group.group_name, protected_group_name) self.assertEquals(group.display_name, new_display_name)
def test_group_modify_group_name(self): group_name = u'mynewgroup' out = run_client(['bkr', 'group-modify', '--group-name', group_name, self.group.group_name], config = self.client_config) with session.begin(): session.refresh(self.group) group = Group.by_name(group_name) self.assertEquals(group.group_name, group_name) self.assertEquals(group.activity[-1].action, u'Changed') self.assertEquals(group.activity[-1].field_name, u'Name') self.assertEquals(group.activity[-1].user.user_id, self.user.user_id) self.assertEquals(group.activity[-1].new_value, group_name) self.assertEquals(group.activity[-1].service, u'HTTP') try: out = run_client(['bkr', 'group-modify', '--group-name', 'areallylonggroupname'*20, self.group.group_name], config = self.client_config) self.fail('Must fail or die') except ClientError,e: self.assertIn( 'Group name must be not more than 255 characters long', e.stderr_output)
def create_admin(user_name=None, **kwargs): if user_name is None: user_name = unique_name(u'admin%s') user = create_user(user_name=user_name, **kwargs) group = Group.by_name(u'admin') group.add_member(user, service=u'testdata') return user
def test_remove_self_admin_group(self): with session.begin(): user = data_setup.create_admin(password='******') b = self.browser login(b, user=user.user_name, password='******') # admin should be in groups/mine b.get(get_server_base() + 'groups/mine') b.find_element_by_link_text('admin').click() # remove self b.find_element_by_xpath('//td/a[text()="Remove (-)" and ../preceding-sibling::td[2]/text()="%s"]' % user.user_name).click() # admin should not be in groups/mine b.get(get_server_base() + 'groups/mine') self.assertTrue(not is_text_present(b, 'admin')) logout(b) # login as admin login(b) group = Group.by_name('admin') group_users = group.users # remove all other users from 'admin' b.get(get_server_base() + 'groups/edit?group_id=1') for usr in group_users: if usr.user_id != 1: b.find_element_by_xpath('//td/a[text()="Remove (-)" and ../preceding-sibling::td[2]/text()="%s"]' % usr.user_name).click() # attempt to remove admin user b.find_element_by_xpath('//a[@href="removeUser?group_id=1&id=1"]').click() self.assert_('Cannot remove member' in b.find_element_by_class_name('flash').text)
def add_system_access_policy_rule(fqdn): system = _get_system_by_FQDN(fqdn) if not system.can_edit_policy(identity.current.user): raise Forbidden403('Cannot edit system policy') if system.custom_access_policy: policy = system.custom_access_policy else: policy = system.custom_access_policy = SystemAccessPolicy() rule = read_json_request(request) if rule['user']: user = User.by_user_name(rule['user']) if not user: raise BadRequest400("User '%s' does not exist" % rule['user']) else: user = None if rule['group']: try: group = Group.by_name(rule['group']) except NoResultFound: raise BadRequest400("Group '%s' does not exist" % rule['group']) else: group = None try: permission = SystemPermission.from_string(rule['permission']) except ValueError: raise BadRequest400 new_rule = policy.add_rule(user=user, group=group, everybody=rule['everybody'], permission=permission) system.record_activity(user=identity.current.user, service=u'HTTP', field=u'Access Policy Rule', action=u'Added', new=repr(new_rule)) return '', 204
def test_create_new_group(self): b = self.browser login(b, user=self.user.user_name, password='******') b.get(get_server_base() + 'groups/mine') b.find_element_by_link_text('Add ( + )').click() b.find_element_by_xpath('//input[@id="Group_display_name"]'). \ send_keys('Group FBZ') b.find_element_by_xpath('//input[@id="Group_group_name"]'). \ send_keys('FBZ') b.find_element_by_xpath('//input[@id="Group_root_password"]'). \ send_keys('blapppy7') b.find_element_by_xpath('//input[@value="Save"]').click() b.find_element_by_xpath('//title[text()="My Groups"]') b.find_element_by_link_text('FBZ').click() with session.begin(): self.assertEquals(Activity.query.filter_by(service=u'WEBUI', field_name=u'Group', action=u'Added', new_value=u'Group FBZ').count(), 1) group = Group.by_name(u'FBZ') self.assertEquals(group.display_name, u'Group FBZ') self.assert_(group.has_owner(self.user)) self.assertEquals(group.activity[-1].action, u'Added') self.assertEquals(group.activity[-1].field_name, u'Owner') self.assertEquals(group.activity[-1].new_value, self.user.user_name) self.assertEquals(group.activity[-1].service, u'WEBUI') self.assertEquals(group.activity[-2].action, u'Added') self.assertEquals(group.activity[-2].field_name, u'User') self.assertEquals(group.activity[-2].new_value, self.user.user_name) self.assertEquals(group.activity[-2].service, u'WEBUI') self.failUnless(crypt.crypt('blapppy7', group.root_password) == group.root_password, group.root_password)
def grant_owner(self, group_id=None, id=None, **kw): if group_id is not None and id is not None: group = Group.by_id(group_id) user = User.by_id(id) service = 'WEBUI' else: group = Group.by_name(kw['group_name']) user = User.by_user_name(kw['member_name']) service = 'XMLRPC' if group.ldap: raise GroupOwnerModificationForbidden( 'An LDAP group does not have an owner') if not group.can_edit(identity.current.user): raise GroupOwnerModificationForbidden( 'You are not an owner of the group %s' % group) if user not in group.users: raise GroupOwnerModificationForbidden('User is not a group member') else: for assoc in group.user_group_assocs: if assoc.user == user: if not assoc.is_owner: assoc.is_owner = True group.record_activity(user=identity.current.user, service=service, field=u'Owner', action='Added', old=u'', new=user.user_name) return ''
def members(self, group_name): """ List the members of an existing group. :param group_name: An existing group name :type group_name: string Returns a list of the members (a dictionary containing each member's username, email, and whether the member is an owner or not). """ try: group = Group.by_name(group_name) except NoResultFound: raise BX(_(u'Group does not exist: %s.' % group_name)) users=[] for u in group.users: user={} user['username']=u.user_name user['email'] = u.email_address if group.has_owner(u): user['owner'] = True else: user['owner'] = False users.append(user) return users
def grant_owner(self, group_id=None, id=None, **kw): if group_id is not None and id is not None: group = Group.by_id(group_id) user = User.by_id(id) service = 'WEBUI' else: group = Group.by_name(kw['group_name']) user = User.by_user_name(kw['member_name']) service = 'XMLRPC' if group.ldap: raise GroupOwnerModificationForbidden('An LDAP group does not have an owner') if not group.can_edit(identity.current.user): raise GroupOwnerModificationForbidden('You are not an owner of the group %s' % group) if user not in group.users: raise GroupOwnerModificationForbidden('User is not a group member') else: for assoc in group.user_group_assocs: if assoc.user == user: if not assoc.is_owner: assoc.is_owner = True group.record_activity(user=identity.current.user, service=service, field=u'Owner', action='Added', old=u'', new=user.user_name) return ''
def members(self, group_name): """ List the members of an existing group. :param group_name: An existing group name :type group_name: string Returns a list of the members (a dictionary containing each member's username, email, and whether the member is an owner or not). """ try: group = Group.by_name(group_name) except NoResultFound: raise BX(_(u'Group does not exist: %s.' % group_name)) users = [] for u in group.users: user = {} user['username'] = u.user_name user['email'] = u.email_address if group.has_owner(u): user['owner'] = True else: user['owner'] = False users.append(user) return users
def test_ldap_group(self): if not config.get("identity.ldap.enabled", False): raise SkipTest('Server is not configured for LDAP') group_name = u'wyfp' display_name = u'My LDAP Group' out = run_client(['bkr', 'group-create', '--ldap', '--display-name', display_name, group_name]) group = Group.by_name(group_name) self.assertEquals(group.membership_type, GroupMembershipType.ldap) self.assertEquals(group.users, [User.by_user_name(u'asaha')]) with session.begin(): rand_user = data_setup.create_user(password = '******') rand_client_config = create_client_config(username=rand_user.user_name, password='******') group_name = u'alp' display_name = u'ALP' try: out = run_client(['bkr', 'group-create', '--ldap', '--display-name', display_name, group_name], config = rand_client_config) self.fail('Must fail or die') except ClientError, e: self.assert_('Only admins can create LDAP groups' in e.stderr_output)
def _from_csv(cls,system,data,csv_type,log): """ Import data from CSV file into system.groups """ if 'group' in data and data['group']: try: group = Group.by_name(data['group']) except InvalidRequestError: group = Group(group_name=data['group'], display_name=data['group']) session.add(group) deleted = False if 'deleted' in data: deleted = smart_bool(data['deleted']) if deleted: if group in system.groups: activity = SystemActivity(identity.current.user, 'CSV', 'Removed', 'group', '%s' % group, '') system.activity.append(activity) system.groups.remove(group) else: if group not in system.groups: system.groups.append(group) activity = SystemActivity(identity.current.user, 'CSV', 'Added', 'group', '', '%s' % group) system.activity.append(activity) else: log.append("%s: group can't be empty!" % system.fqdn) return False return True
def from_csv(cls,user,data,log): """ Import data from CSV file into user.groups """ if 'group' in data and data['group']: try: group = Group.by_name(data['group']) except InvalidRequestError: group = Group(group_name=data['group'], display_name=data['group']) session.add(group) deleted = False if 'deleted' in data: deleted = smart_bool(data['deleted']) if deleted: if group in user.groups: group.record_activity(user=identity.current.user, service=u'CSV', field=u'User', action=u'Removed', old=user) user.groups.remove(group) else: if group not in user.groups: group.record_activity(user=identity.current.user, service=u'CSV', field=u'User', action=u'Added', new=user) user.groups.append(group) else: log.append("%s: group can't be empty!" % user) return False return True
def from_csv(cls,user,data,log): """ Import data from CSV file into user.groups """ if 'group' in data and data['group']: try: group = Group.by_name(data['group']) except InvalidRequestError: group = Group(group_name=data['group'], display_name=data['group']) session.add(group) deleted = False if 'deleted' in data: deleted = smart_bool(data['deleted']) if deleted: if group in user.groups: group.remove_member(user, service=u'CSV', agent=identity.current.user) else: if group not in user.groups: group.add_member(user, service=u'CSV', agent=identity.current.user) else: log.append("%s: group can't be empty!" % user) return False return True
def test_create_new_group(self): b = self.browser login(b, user=self.user.user_name, password='******') b.get(get_server_base() + 'groups/mine') b.find_element_by_link_text('Add').click() b.find_element_by_xpath('//input[@id="Group_display_name"]'). \ send_keys('Group FBZ') b.find_element_by_xpath('//input[@id="Group_group_name"]'). \ send_keys('FBZ') b.find_element_by_xpath('//input[@id="Group_root_password"]'). \ send_keys('blapppy7') b.find_element_by_id('Group').submit() b.find_element_by_xpath('//title[text()="My Groups"]') b.find_element_by_link_text('FBZ').click() with session.begin(): group = Group.by_name(u'FBZ') self.assertEquals(group.display_name, u'Group FBZ') self.assert_(group.has_owner(self.user)) self.assertEquals(group.activity[-1].action, u'Added') self.assertEquals(group.activity[-1].field_name, u'Owner') self.assertEquals(group.activity[-1].new_value, self.user.user_name) self.assertEquals(group.activity[-1].service, u'WEBUI') self.assertEquals(group.activity[-2].action, u'Added') self.assertEquals(group.activity[-2].field_name, u'User') self.assertEquals(group.activity[-2].new_value, self.user.user_name) self.assertEquals(group.activity[-2].service, u'WEBUI') self.assertEquals(group.activity[-3].action, u'Created') self.assertEquals(group.activity[-3].service, u'WEBUI') self.assertEquals('blapppy7', group.root_password)
def test_group_modify_add_member(self): with session.begin(): user = data_setup.create_user() out = run_client(['bkr', 'group-modify', '--add-member', user.user_name, self.group.group_name], config = self.client_config) with session.begin(): session.refresh(self.group) group = Group.by_name(self.group.group_name) self.assert_(user.user_name in [u.user_name for u in group.users]) self.check_notification(user, group, action='Added') try: out = run_client(['bkr', 'group-modify', '--add-member', 'idontexist', self.group.group_name], config = self.client_config) self.fail('Must fail or die') except ClientError, e: self.assert_('User does not exist' in e.stderr_output, e.stderr_output)
def process_xmljob(self, xmljob, user, ignore_missing_tasks=False): # We start with the assumption that the owner == 'submitting user', until # we see otherwise. submitter = user if user.rootpw_expired: raise BX( _('Your root password has expired, please change or clear it in order to submit jobs.' )) owner_name = xmljob.get_xml_attr('user', unicode, None) if owner_name: owner = User.by_user_name(owner_name) if owner is None: raise ValueError('%s is not a valid user name' % owner_name) if not submitter.is_delegate_for(owner): raise ValueError( '%s is not a valid submission delegate for %s' % (submitter, owner)) else: owner = user group_name = xmljob.get_xml_attr('group', unicode, None) group = None if group_name: try: group = Group.by_name(group_name) except NoResultFound, e: raise ValueError('%s is not a valid group' % group_name) if group not in owner.groups: raise BX( _(u'User %s is not a member of group %s' % (owner.user_name, group.group_name)))
def process_xmljob(self, xmljob, user, ignore_missing_tasks=False): # We start with the assumption that the owner == 'submitting user', until # we see otherwise. submitter = user if user.rootpw_expired: raise BX(_('Your root password has expired, please change or clear it in order to submit jobs.')) owner_name = xmljob.get_xml_attr('user', unicode, None) if owner_name: owner = User.by_user_name(owner_name) if owner is None: raise ValueError('%s is not a valid user name' % owner_name) if not submitter.is_delegate_for(owner): raise ValueError('%s is not a valid submission delegate for %s' % (submitter, owner)) else: owner = user group_name = xmljob.get_xml_attr('group', unicode, None) group = None if group_name: try: group = Group.by_name(group_name) except NoResultFound, e: raise ValueError('%s is not a valid group' % group_name) if group not in owner.groups: raise BX(_(u'User %s is not a member of group %s' % (owner.user_name, group.group_name)))
def create_admin(user_name=None, **kwargs): if user_name is None: user_name = unique_name(u'admin%s') user = create_user(user_name=user_name, **kwargs) group = Group.by_name(u'admin') group.add_member(user, service=u'testdata') return user
def test_group_modify_add_member(self): with session.begin(): user = data_setup.create_user() out = run_client([ 'bkr', 'group-modify', '--add-member', user.user_name, self.group.group_name ], config=self.client_config) with session.begin(): session.refresh(self.group) group = Group.by_name(self.group.group_name) self.assert_(user.user_name in [u.user_name for u in group.users]) self.check_notification(user, group, action='Added') try: out = run_client([ 'bkr', 'group-modify', '--add-member', 'idontexist', self.group.group_name ], config=self.client_config) self.fail('Must fail or die') except ClientError, e: self.assert_('User idontexist does not exist' in e.stderr_output, e.stderr_output)
def test_group_modify_group_name(self): group_name = u'mynewgroup' out = run_client([ 'bkr', 'group-modify', '--group-name', group_name, self.group.group_name ], config=self.client_config) with session.begin(): session.refresh(self.group) group = Group.by_name(group_name) self.assertEquals(group.group_name, group_name) self.assertEquals(group.activity[-1].action, u'Changed') self.assertEquals(group.activity[-1].field_name, u'Name') self.assertEquals(group.activity[-1].user.user_id, self.user.user_id) self.assertEquals(group.activity[-1].new_value, group_name) self.assertEquals(group.activity[-1].service, u'HTTP') try: out = run_client([ 'bkr', 'group-modify', '--group-name', 'areallylonggroupname' * 20, self.group.group_name ], config=self.client_config) self.fail('Must fail or die') except ClientError, e: self.assertIn( 'Group name must be not more than 255 characters long', e.stderr_output)
def from_csv(cls, user, data, log): """ Import data from CSV file into user.groups """ if 'group' in data and data['group']: try: group = Group.by_name(data['group']) except InvalidRequestError: group = Group(group_name=data['group'], display_name=data['group']) session.add(group) deleted = False if 'deleted' in data: deleted = smart_bool(data['deleted']) if deleted: if group in user.groups: group.remove_member(user, service=u'CSV', agent=identity.current.user) else: if group not in user.groups: group.add_member(user, service=u'CSV', agent=identity.current.user) else: log.append("%s: group can't be empty!" % user) return False return True
def test_ldap_group(self): group_name = u'wyfp' display_name = u'My LDAP Group' out = run_client([ 'bkr', 'group-create', '--ldap', '--display-name', display_name, group_name ]) group = Group.by_name(group_name) self.assertEquals(group.membership_type, GroupMembershipType.ldap) self.assertEquals(group.users, [User.by_user_name(u'asaha')]) with session.begin(): rand_user = data_setup.create_user(password='******') rand_client_config = create_client_config(username=rand_user.user_name, password='******') group_name = u'alp' display_name = u'ALP' try: out = run_client([ 'bkr', 'group-create', '--ldap', '--display-name', display_name, group_name ], config=rand_client_config) self.fail('Must fail or die') except ClientError, e: self.assert_( 'Only admins can create LDAP groups' in e.stderr_output)
def revoke_owner(self, group_id=None, id=None, **kw): if group_id is not None and id is not None: group = Group.by_id(group_id) user = User.by_id(id) service = 'WEBUI' else: group = Group.by_name(kw['group_name']) user = User.by_user_name(kw['member_name']) service = 'XMLRPC' if group.membership_type == GroupMembershipType.ldap: raise GroupOwnerModificationForbidden( 'An LDAP group does not have an owner') if not group.can_edit(identity.current.user): raise GroupOwnerModificationForbidden( 'You are not an owner of group %s' % group) if user not in group.users: raise GroupOwnerModificationForbidden('User is not a group member') if len(group.owners()) == 1 and not identity.current.user.is_admin(): raise GroupOwnerModificationForbidden( 'Cannot remove the only owner') else: group.revoke_ownership(user=user, agent=identity.current.user, service=service) # hack to return the user removing this owner # so that if the user was logged in as a group # owner, he/she can be redirected appropriately return str(identity.current.user.user_id)
def revoke_owner(self, group_id=None, id=None, **kw): if group_id is not None and id is not None: group = Group.by_id(group_id) user = User.by_id(id) service = 'WEBUI' else: group = Group.by_name(kw['group_name']) user = User.by_user_name(kw['member_name']) service = 'XMLRPC' if group.ldap: raise GroupOwnerModificationForbidden('An LDAP group does not have an owner') if not group.can_edit(identity.current.user): raise GroupOwnerModificationForbidden('You are not an owner of group %s' % group) if user not in group.users: raise GroupOwnerModificationForbidden('User is not a group member') if len(group.owners())==1 and not identity.current.user.is_admin(): raise GroupOwnerModificationForbidden('Cannot remove the only owner') else: for assoc in group.user_group_assocs: if assoc.user == user: if assoc.is_owner: assoc.is_owner = False group.record_activity(user=identity.current.user, service=service, field=u'Owner', action='Removed', old=user.user_name, new=u'') # hack to return the user removing this owner # so that if the user was logged in as a group # owner, he/she can be redirected appropriately return str(identity.current.user.user_id)
def test_ldap_group(self): group_name = 'wyfp' display_name = 'My LDAP Group' out = run_client(['bkr', 'group-create', '--ldap', '--display-name', display_name, group_name]) group = Group.by_name(group_name) self.assertEquals(group.ldap, True) self.assertEquals(group.users, [User.by_user_name(u'asaha')]) with session.begin(): rand_user = data_setup.create_user(password = '******') rand_client_config = create_client_config(username=rand_user.user_name, password='******') group_name = 'alp' display_name = 'ALP' try: out = run_client(['bkr', 'group-create', '--ldap', '--display-name', display_name, group_name], config = rand_client_config) self.fail('Must fail or die') except ClientError, e: self.assert_('Only admins can create LDAP groups' in e.stderr_output)
def test_group_modify_group_name(self): group_name = 'mynewgroup' out = run_client(['bkr', 'group-modify', '--group-name', group_name, self.group.group_name], config = self.client_config) with session.begin(): session.refresh(self.group) group = Group.by_name(group_name) self.assertEquals(group.group_name, group_name) self.assertEquals(group.activity[-1].action, u'Changed') self.assertEquals(group.activity[-1].field_name, u'Name') self.assertEquals(group.activity[-1].user.user_id, self.user.user_id) self.assertEquals(group.activity[-1].new_value, group_name) self.assertEquals(group.activity[-1].service, u'XMLRPC') try: out = run_client(['bkr', 'group-modify', '--group-name', 'areallylonggroupname'*20, self.group.group_name], config = self.client_config) self.fail('Must fail or die') except ClientError,e: max_length = Group.group_name.property.columns[0].type.length self.assertRegexpMatches(e.stderr_output, 'Enter a value (less|not more) than %r characters long' % max_length)
def test_create_new_group(self): b = self.browser login(b, user=self.user.user_name, password='******') b.get(get_server_base() + 'groups/mine') b.find_element_by_link_text('Add').click() b.find_element_by_xpath('//input[@id="Group_display_name"]'). \ send_keys('Group FBZ') b.find_element_by_xpath('//input[@id="Group_group_name"]'). \ send_keys('FBZ') b.find_element_by_xpath('//input[@id="Group_root_password"]'). \ send_keys('blapppy7') b.find_element_by_id('Group').submit() b.find_element_by_xpath('//title[text()="My Groups"]') b.find_element_by_link_text('FBZ').click() with session.begin(): group = Group.by_name(u'FBZ') self.assertEquals(group.display_name, u'Group FBZ') self.assert_(group.has_owner(self.user)) self.assertEquals(group.activity[-1].action, u'Added') self.assertEquals(group.activity[-1].field_name, u'Owner') self.assertEquals(group.activity[-1].new_value, self.user.user_name) self.assertEquals(group.activity[-1].service, u'WEBUI') self.assertEquals(group.activity[-2].action, u'Added') self.assertEquals(group.activity[-2].field_name, u'User') self.assertEquals(group.activity[-2].new_value, self.user.user_name) self.assertEquals(group.activity[-2].service, u'WEBUI') self.assertEquals(group.activity[-3].action, u'Created') self.assertEquals(group.activity[-3].service, u'WEBUI') self.assertEquals('blapppy7', group.root_password)
def grant_owner(self, group_id=None, id=None, **kw): if group_id is not None and id is not None: group = Group.by_id(group_id) user = User.by_id(id) service = 'WEBUI' else: group = Group.by_name(kw['group_name']) user = User.by_user_name(kw['member_name']) service = 'XMLRPC' if group.membership_type == GroupMembershipType.ldap: raise GroupOwnerModificationForbidden( 'An LDAP group does not have an owner') if not group.can_edit(identity.current.user): raise GroupOwnerModificationForbidden( 'You are not an owner of the group %s' % group) if user not in group.users: raise GroupOwnerModificationForbidden('User is not a group member') else: group.grant_ownership(user=user, agent=identity.current.user, service=service) return ''
def test_add_remove_owner_group(self): with session.begin(): user = data_setup.create_user(password='******') group = data_setup.create_group(owner=user) user1 = data_setup.create_user(password='******') b = self.browser login(b, user=user.user_name, password='******') b.get(get_server_base() + 'groups/mine') # remove self (as only owner) b.find_element_by_link_text(group.group_name).click() b.find_element_by_xpath('//td[preceding-sibling::td/text()="%s"]' % user.user_name)\ .find_element_by_link_text('Remove').click() flash_text = b.find_element_by_class_name('flash').text self.assert_("Cannot remove the only owner" in flash_text) # add a new user as owner b.find_element_by_xpath('//input[@id="GroupUser_user_text"]').send_keys(user1.user_name) b.find_element_by_id('GroupUser').submit() b.find_element_by_xpath('//td[text()="%s"]' % user1.user_name) b.find_element_by_xpath('//td[preceding-sibling::td/text()="%s"]' % user1.user_name)\ .find_element_by_link_text('Add').click() b.find_element_by_xpath('//td[preceding-sibling::td/text()="%s"]' % user1.user_name)\ .find_element_by_link_text('Remove') logout(b) # login as the new user and check for ownership login(b, user=user1.user_name, password='******') b.get(get_server_base() + 'groups/mine') b.find_element_by_link_text(group.group_name).click() b.find_element_by_xpath('//input') with session.begin(): self.assertEquals(Activity.query.filter_by(service=u'WEBUI', field_name=u'Owner', action=u'Added', new_value=user1.user_name).count(), 1) group = Group.by_name(group.group_name) self.assert_(group.has_owner(user1)) self.assertEquals(group.activity[-1].action, u'Added') self.assertEquals(group.activity[-1].field_name, u'Owner') self.assertEquals(group.activity[-1].new_value, user1.user_name) self.assertEquals(group.activity[-1].service, u'WEBUI') # remove self as owner b.find_element_by_xpath('//td[preceding-sibling::td/text()="%s"]' % user1.user_name)\ .find_element_by_link_text('Remove').click() b.find_element_by_xpath('//title[text()="My Groups"]') with session.begin(): self.assertEquals(Activity.query.filter_by(service=u'WEBUI', field_name=u'Owner', action=u'Removed', old_value=user1.user_name).count(), 1) session.refresh(group) self.assertEquals(group.activity[-1].action, u'Removed') self.assertEquals(group.activity[-1].field_name, u'Owner') self.assertEquals(group.activity[-1].old_value, user1.user_name) self.assertEquals(group.activity[-1].service, u'WEBUI')
def save(self, group_id=None, display_name=None, group_name=None, ldap=False, root_password=None, **kwargs): user = identity.current.user if ldap and not user.is_admin(): flash(_(u'Only admins can create LDAP groups')) redirect('mine') try: group = Group.by_id(group_id) except DatabaseLookupError: flash(_(u"Group %s does not exist." % group_id)) redirect('mine') try: Group.by_name(group_name) except NoResultFound: pass else: if group_name != group.group_name: flash( _(u'Failed to update group %s: Group name already exists: %s' % (group.group_name, group_name))) redirect('mine') if not group.can_edit(user): flash(_(u'You are not an owner of group %s' % group)) redirect('../groups/mine') try: group.set_name(user, u'WEBUI', group_name) group.set_display_name(user, u'WEBUI', display_name) group.ldap = ldap group.set_root_password(user, u'WEBUI', root_password) except BeakerException, err: session.rollback() flash(_(u'Failed to update group %s: %s' % (group.group_name, err))) redirect('.')
def test_group_description(self): group_name = data_setup.unique_name(u'group%s') description = 'This is a boring group' out = run_client( ['bkr', 'group-create', '--description', description, group_name]) self.assert_('Group created' in out, out) with session.begin(): group = Group.by_name(group_name) self.assertEquals(group.description, description)
def test_group_modify_revoke_owner(self): with session.begin(): user1 = data_setup.create_user() self.group.add_member(user1) user2 = data_setup.create_user() self.group.add_member(user2) user3 = data_setup.create_user() out = run_client([ 'bkr', 'group-modify', '--grant-owner', user1.user_name, '--grant-owner', user2.user_name, self.group.group_name ], config=self.client_config) out = run_client([ 'bkr', 'group-modify', '--revoke-owner', user1.user_name, '--revoke-owner', user2.user_name, self.group.group_name ], config=self.client_config) with session.begin(): session.refresh(self.group) group = Group.by_name(self.group.group_name) self.assert_( user1.user_id not in [u.user_id for u in group.owners()]) self.assert_( user2.user_id not in [u.user_id for u in group.owners()]) self.assertEquals( Activity.query.filter_by(service=u'HTTP', field_name=u'Owner', action=u'Removed', old_value=user2.user_name).count(), 1) self.assertEquals(group.activity[-1].action, u'Removed') self.assertEquals(group.activity[-1].field_name, u'Owner') self.assertEquals(group.activity[-1].old_value, user2.user_name) self.assertEquals(group.activity[-1].service, u'HTTP') try: out = run_client([ 'bkr', 'group-modify', '--revoke-owner', user3.user_name, self.group.group_name ], config=self.client_config) self.fail('Must fail or die') except ClientError as e: self.assert_('User is not a member of group' in e.stderr_output) try: out = run_client([ 'bkr', 'group-modify', '--revoke-owner', user3.user_name, self.fake_ldap_group.group_name ], config=self.client_config) self.fail('Must fail or die') except ClientError as e: self.assert_('Cannot edit ownership of group' in e.stderr_output, e.stderr_output)
def create(self, kw): """ Creates a new group. The *kw* argument must be an XML-RPC structure (dict) specifying the following keys: 'group_name' Group name (maximum 16 characters) 'display_name' Group display name 'ldap' Populate users from LDAP (True/False) Returns a message whether the group was successfully created or raises an exception on failure. """ display_name = kw.get('display_name') group_name = kw.get('group_name') ldap = kw.get('ldap') password = kw.get('root_password') if ldap and not identity.current.user.is_admin(): raise BX(_(u'Only admins can create LDAP groups')) try: group = Group.by_name(group_name) except NoResultFound: #validate GroupFormSchema.fields['group_name'].to_python(group_name) GroupFormSchema.fields['display_name'].to_python(display_name) group = Group() session.add(group) group.record_activity(user=identity.current.user, service=u'XMLRPC', field=u'Group', action=u'Created') group.display_name = display_name group.group_name = group_name group.ldap = ldap group.root_password = password user = identity.current.user if not ldap: group.user_group_assocs.append(UserGroup(user=user, is_owner=True)) group.activity.append(GroupActivity(user, service=u'XMLRPC', action=u'Added', field_name=u'User', old_value=None, new_value=user.user_name)) group.activity.append(GroupActivity(user, service=u'XMLRPC', action=u'Added', field_name=u'Owner', old_value=None, new_value=user.user_name)) if group.ldap: group.refresh_ldap_members() return 'Group created: %s.' % group_name else: raise BX(_(u'Group already exists: %s.' % group_name))
def _new_group(self, group_id, display_name, group_name, ldap, root_password): user = identity.current.user if ldap and not user.is_admin(): flash(_(u'Only admins can create LDAP groups')) redirect('.') try: Group.by_name(group_name) except NoResultFound: pass else: flash(_(u"Group %s already exists." % group_name)) redirect(".") group = Group() session.add(group) group.record_activity(user=user, service=u'WEBUI', field=u'Group', action=u'Created') group.display_name = display_name group.group_name = group_name group.ldap = ldap if group.ldap: group.refresh_ldap_members() group.root_password = root_password if not ldap: # LDAP groups don't have owners group.user_group_assocs.append(UserGroup(user=user, is_owner=True)) group.activity.append( GroupActivity(user, service=u'WEBUI', action=u'Added', field_name=u'User', old_value=None, new_value=user.user_name)) group.activity.append( GroupActivity(user, service=u'WEBUI', action=u'Added', field_name=u'Owner', old_value=None, new_value=user.user_name)) return group
def test_group_modify_remove_member(self): with session.begin(): user = data_setup.create_user() self.group.add_member(user) session.flush() self.assert_(user in self.group.users) mail_capture_thread.start_capturing() out = run_client([ 'bkr', 'group-modify', '--remove-member', user.user_name, self.group.group_name ], config=self.client_config) with session.begin(): session.refresh(self.group) group = Group.by_name(self.group.group_name) self.assert_( user.user_name not in [u.user_name for u in group.users]) self.check_notification(user, group, action='Removed') with session.begin(): session.refresh(self.group) group = Group.by_name(self.group.group_name) self.assertEquals(group.activity[-1].action, u'Removed') self.assertEquals(group.activity[-1].field_name, u'User') self.assertEquals(group.activity[-1].user.user_id, self.user.user_id) self.assertEquals(group.activity[-1].old_value, user.user_name) self.assertEquals(group.activity[-1].new_value, None) self.assertEquals(group.activity[-1].service, u'HTTP') try: out = run_client([ 'bkr', 'group-modify', '--remove-member', 'idontexist', self.group.group_name ], config=self.client_config) self.fail('Must fail or die') except ClientError, e: self.assert_('User idontexist does not exist' in e.stderr_output, e.stderr_output)
def test_remove_self_admin_group(self): with session.begin(): user = data_setup.create_admin(password='******') b = self.browser login(b, user=user.user_name, password='******') # admin should be in groups/mine b.get(get_server_base() + 'groups/mine') b.find_element_by_link_text('admin').click() # remove self b.find_element_by_xpath('//td[preceding-sibling::td[2]/text()="%s"]' % user.user_name)\ .find_element_by_link_text('Remove').click() self.assertEquals( b.find_element_by_class_name('flash').text, '%s Removed' % user.user_name) # admin should not be in groups/mine b.get(get_server_base() + 'groups/mine') check_group_search_results(b, absent=[Group.by_name(u'admin')]) logout(b) # login as admin login(b) group = Group.by_name('admin') group_users = group.users # remove all other users from 'admin' b.get(get_server_base() + 'groups/edit?group_id=1') for usr in group_users: if usr.user_id != 1: b.find_element_by_xpath('//td[preceding-sibling::td[2]/text()="%s"]' % usr.user_name)\ .find_element_by_link_text('Remove').click() self.assertEquals( b.find_element_by_class_name('flash').text, '%s Removed' % usr.user_name) # attempt to remove admin user b.find_element_by_xpath( '//a[@href="removeUser?group_id=1&id=1"]').click() self.assert_('Cannot remove member' in b.find_element_by_class_name( 'flash').text)
def test_group_description(self): group_name = data_setup.unique_name(u'group%s') description = 'This is a boring group' out = run_client(['bkr', 'group-create', '--description', description, group_name]) self.assert_('Group created' in out, out) with session.begin(): group = Group.by_name(group_name) self.assertEquals(group.description, description)
def create(self, kw): """ Creates a new group. The *kw* argument must be an XML-RPC structure (dict) specifying the following keys: 'group_name' Group name (maximum 16 characters) 'display_name' Group display name 'description' Group description 'ldap' Populate users from LDAP (True/False) Returns a message whether the group was successfully created or raises an exception on failure. """ display_name = kw.get('display_name') group_name = kw.get('group_name') description = kw.get('description') ldap = kw.get('ldap') password = kw.get('root_password') if ldap and not identity.current.user.is_admin(): raise BX(_(u'Only admins can create LDAP groups')) if ldap and not config.get("identity.ldap.enabled", False): raise BX(_(u'LDAP is not enabled')) try: group = Group.by_name(group_name) except NoResultFound: group = Group() session.add(group) group.record_activity(user=identity.current.user, service=u'XMLRPC', field=u'Group', action=u'Created') group.display_name = display_name group.group_name = group_name group.description = description group.root_password = password if ldap: group.membership_type = GroupMembershipType.ldap group.refresh_ldap_members() else: group.add_member(identity.current.user, is_owner=True, service=u'XMLRPC', agent=identity.current.user) return 'Group created: %s.' % group_name else: raise BX(_(u'Group already exists: %s.' % group_name))
def test_group_create(self): group_name = data_setup.unique_name('group%s') display_name = 'My Group' out = run_client([ 'bkr', 'group-create', '--display-name', display_name, group_name ]) self.assert_('Group created' in out, out) with session.begin(): group = Group.by_name(group_name) self.assertEquals(group.display_name, display_name) self.assertEquals(group.activity[-1].action, u'Added') self.assertEquals(group.activity[-1].field_name, u'Owner') self.assertEquals(group.activity[-1].new_value, data_setup.ADMIN_USER) self.assertEquals(group.activity[-1].service, u'XMLRPC') self.assertEquals(group.activity[-2].action, u'Added') self.assertEquals(group.activity[-2].field_name, u'User') self.assertEquals(group.activity[-2].new_value, data_setup.ADMIN_USER) self.assertEquals(group.activity[-2].service, u'XMLRPC') self.assertEquals(group.activity[-3].action, u'Created') self.assertEquals(group.activity[-3].service, u'XMLRPC') group_name = data_setup.unique_name('group%s') out = run_client(['bkr', 'group-create', group_name]) self.assert_('Group created' in out, out) with session.begin(): group = Group.by_name(group_name) self.assertEqual(group.group_name, group_name) self.assertEqual(group.display_name, group_name) group_name = data_setup.unique_name('group%s') try: out = run_client(['bkr', 'group-create', group_name, group_name]) self.fail('Must fail or die') except ClientError, e: self.assert_( 'Exactly one group name must be specified' in e.stderr_output, e.stderr_output)
def test_group_modify_remove_member(self): with session.begin(): user = data_setup.create_user() self.group.add_member(user) session.flush() self.assert_(user in self.group.users) mail_capture_thread.start_capturing() out = run_client(['bkr', 'group-modify', '--remove-member', user.user_name, self.group.group_name], config = self.client_config) with session.begin(): session.refresh(self.group) group = Group.by_name(self.group.group_name) self.assert_(user.user_name not in [u.user_name for u in group.users]) self.check_notification(user, group, action='Removed') with session.begin(): session.refresh(self.group) group = Group.by_name(self.group.group_name) self.assertEquals(group.activity[-1].action, u'Removed') self.assertEquals(group.activity[-1].field_name, u'User') self.assertEquals(group.activity[-1].user.user_id, self.user.user_id) self.assertEquals(group.activity[-1].old_value, user.user_name) self.assertEquals(group.activity[-1].new_value, None) self.assertEquals(group.activity[-1].service, u'HTTP') try: out = run_client(['bkr', 'group-modify', '--remove-member', 'idontexist', self.group.group_name], config = self.client_config) self.fail('Must fail or die') except ClientError, e: self.assert_('User idontexist does not exist' in e.stderr_output, e.stderr_output)
def test_cannot_delete_protected_group_by_admin(self): with session.begin(): user = data_setup.create_admin(password='******') admin_group = Group.by_name('admin') b = self.browser login(b, user=user.user_name, password='******') b.get(get_server_base() + 'groups/') self.assert_('Delete' not in b.find_element_by_xpath( "//tr[(td[1]/a[text()='%s'])]" % admin_group.group_name).text) b.get(get_server_base() + 'groups/mine') self.assert_('Delete' not in b.find_element_by_xpath( "//tr[(td[1]/a[text()='%s'])]" % admin_group.group_name).text)