def test_admin_attrib_multiple(self):
# create two admin groups
admin_group1 = PortalGroup(name="Admins1", can_admin=True)
admin_group1.save()
admin_group2 = PortalGroup(name="Admins2", can_admin=True)
admin_group2.save()
# add same person to both groups
admin_group1.members.add(self.second_user)
admin_group2.members.add(self.second_user)
admin_group1.save()
admin_group2.save()
# person should be admin now
self.second_user.refresh_from_db(
) # catch changes from signal handlers
self.assertEqual(self.second_user.is_staff, True)
# remove from first group, should still be admin
admin_group1.members.remove(self.second_user)
admin_group1.save()
self.second_user.refresh_from_db(
) # catch changes from signal handlers
self.assertEqual(self.second_user.is_staff, True)
# remove from second group, should lose admin status
admin_group2.members.remove(self.second_user)
self.second_user.refresh_from_db(
) # catch changes from signal handlers
self.assertEqual(self.second_user.is_staff, False)
def test_user(api_client, admin_user_with_k8s_system):
webapp1 = WebApplication(name="webapp1", link_show=True)
webapp1.save()
group1 = PortalGroup(name="group1")
group1.save()
group1.can_web_applications.add(webapp1)
group1.save()
admin_user_with_k8s_system.portal_groups.add(group1)
user_attr_expected = [
'firstname', 'name', 'username', 'user_id', 'primary_email',
'all_emails', 'admin', 'serviceaccount_urls', 'k8s_token',
'webapp_urls', 'group_urls'
]
response = api_client.get(
f'/api/{settings.API_VERSION}/users/{admin_user_with_k8s_system.pk}/')
assert response.status_code == 200
data = response.json()
assert True is data['admin']
for key in user_attr_expected:
assert key in data
assert len(data["group_urls"]) > 0 # all users group, at least
assert len(data["serviceaccount_urls"]) > 0
assert data['all_emails'] == ['*****@*****.**']
assert data['serviceaccount_urls'][0].startswith("http://testserver")
assert data['group_urls'][0].startswith("http://testserver")
def create_group(member=None, app=None):
group = PortalGroup(name="Test Group")
group.save()
if member:
group.members.add(member)
if app:
group.can_web_applications.add(app)
group.save()
return group
def _create_group(self, name, member=None, app=None):
group = PortalGroup(name=name)
group.save()
if member:
group.members.add(member)
if app:
group.can_web_applications.add(app)
group.save()
return group
def test_permission_adjustment(second_user):
assert second_user.user_permissions.all().count() == 0
# Create admin group
admin_group = PortalGroup(name="Admins", can_admin=True)
admin_group.save()
# make member, should get all model permissions
admin_group.members.add(second_user)
admin_group.save()
second_user.refresh_from_db() # catch changes from signal handlers
perm_count = Permission.objects.count()
assert second_user.user_permissions.all().count() == perm_count
def test_subauth_view(self):
group1 = PortalGroup()
group1.save()
self.admin.portal_groups.add(group1)
app1 = WebApplication(name="app1", can_subauth=True)
app1.save()
response = self.client.get('/subauthreq/{}/'.format(app1.pk))
self.assertEqual(response.status_code, 401)
def test_forward_relation_change(self):
"""
Test the case that a user get her groups changed, not the other way around.
"""
admin_group = PortalGroup(name="Admins", can_admin=True)
admin_group.save()
self.assertEqual(admin_group.members.count(), 0)
self.assertEqual(self.second_user.is_staff, False)
self.second_user.portal_groups.add(admin_group)
self.second_user.save()
self.assertEqual(admin_group.members.count(), 1)
self.assertEqual(self.second_user.is_staff, True)
def test_forward_relation_change(second_user):
"""
Test the case that a user get her groups changed, not the other way around.
"""
admin_group = PortalGroup(name="Admins", can_admin=True)
admin_group.save()
assert admin_group.members.count() == 0
assert second_user.is_staff is False
second_user.portal_groups.add(admin_group)
second_user.save()
assert admin_group.members.count() == 1
assert second_user.is_staff is True
def test_user_merge_access_approved(admin_index_request, django_user_model):
run_minikube_sync()
primary = django_user_model(
username="******",
email="*****@*****.**")
primary.save()
ns = KubernetesNamespace(name="default")
ns.save()
new_svc = KubernetesServiceAccount(name="foobar", namespace=ns)
new_svc.save()
secondary = django_user_model(
username="******",
state=User.ACCESS_APPROVED,
email="*****@*****.**",
comments="secondary user comment",
service_account=new_svc)
secondary.save()
group1 = PortalGroup(name="testgroup1")
group1.save()
group2 = PortalGroup(name="testgroup2")
group2.save()
secondary.portal_groups.add(group1)
secondary.portal_groups.add(group2)
secondary.save()
# Build full-fledged request object for logged-in admin
# approve secondary for cluster access
secondary.approve(admin_index_request, new_svc)
# the merge method only accepts a queryset of users since that's what
# the admin interface creates
queryset_of_users = django_user_model.objects.filter(
pk__in=[primary.id, secondary.id])
# merge both users. shouldn't return anything
assert(not merge_users(UserAdmin, admin_index_request, queryset_of_users))
# the primary user has been altered but the old object is still in memory
# we need to query for the updated user again
primary = django_user_model.objects.get(pk=primary.id)
# Does primary have all the values of secondary user?
assert primary.comments == "secondary user comment"
assert primary.portal_groups.filter(name=group1.name)
assert primary.portal_groups.filter(name=group2.name)
assert primary.has_access_approved
class AdminLoggedOutTestCase(BaseTestCase):
'''
An administrator is logged out and part of an auto-admin group.
Web applications and subauth's are not enabled.
'''
def setUp(self):
super().setUp()
User = get_user_model()
self.admin = User(**admin_data)
self.admin.save()
self.admin_group = PortalGroup(name=self.admin_group_name,
can_admin=True)
self.admin_group.save()
self.admin_group.members.add(self.admin)
self.admin_group.save()
def test_user_groups(self):
group1 = PortalGroup(name="group1")
group1.save()
group2 = PortalGroup(name="group2")
group2.save()
self.admin.portal_groups.add(group1)
self.admin.portal_groups.add(group2)
response = self.get(
f'/api/{API_VERSION}/users/{self.admin.pk}/groups/')
self.assertEqual(response.status_code, 200)
data = response.json()
for entry in data:
self.assertIn('name', entry.keys())
# Auto group "all users", Test case group "Admins", plus 2 extra
self.assertEqual(4, len(data))
def test_webapp_user_in_multiple_groups(self):
app1 = WebApplication(name="app1",
link_show=True,
link_name="app1",
link_url="http://www.heise.de")
app1.save()
group1 = PortalGroup()
group1.save()
group1.can_web_applications.add(app1)
group2 = PortalGroup()
group2.save()
group2.can_web_applications.add(app1)
self.admin.portal_groups.add(group1)
self.admin.portal_groups.add(group2)
response = self.client.get('/welcome/')
self.assertContains(response, "http://www.heise.de")
self.assertEqual(1, str(response.content).count("http://www.heise.de"))
def test_webapp_user_in_multiple_groups(admin_client, admin_user):
app1 = WebApplication(name="app1",
link_show=True,
link_name="app1",
link_url="http://www.heise.de")
app1.save()
group1 = PortalGroup()
group1.save()
group1.can_web_applications.add(app1)
group2 = PortalGroup()
group2.save()
group2.can_web_applications.add(app1)
admin_user.portal_groups.add(group1)
admin_user.portal_groups.add(group2)
response = admin_client.get('/welcome/')
assert contains(response, "http://www.heise.de")
assert 1 == str(response.content).count("http://www.heise.de")
def test_dont_touch_superuser(second_user):
"""
The can_admin signal handler magic should not be applied to superusers,
otherwise they may loose the backend access when not
be a member of an admin group.
"""
second_user.is_superuser = True
second_user.is_staff = True
second_user.username = "******"
second_user.save()
assert second_user.is_superuser is True
assert second_user.is_staff is True
non_admin_group = PortalGroup(
name="NonAdmins", can_admin=False)
non_admin_group.save()
second_user.portal_groups.add(non_admin_group)
second_user.refresh_from_db() # catch changes from signal handlers
assert second_user.is_superuser is True
assert second_user.is_staff is True
def _prepare_subauth_test(self, user_in_group1, user_in_group2, app_in_group1, app_in_group2, app_enabled):
group1 = PortalGroup()
group1.save()
if user_in_group1:
self.admin.portal_groups.add(group1)
group2 = PortalGroup()
group2.save()
if user_in_group2:
self.admin.portal_groups.add(group2)
app1 = WebApplication(name="app1", can_subauth=app_enabled)
app1.save()
if app_in_group1:
group1.can_web_applications.add(app1)
if app_in_group2:
group2.can_web_applications.add(app1)
return self.client.get('/subauthreq/{}/'.format(app1.pk))
def test_subauth_caching(admin_user_with_k8s, admin_client, mocker):
spy = mocker.spy(SubAuthRequestView, 'get')
# Create new user group, add admin
group1 = PortalGroup()
group1.save()
admin_user_with_k8s.portal_groups.add(group1)
# Create new web application
app1 = WebApplication(name="app1", can_subauth=True)
app1.save()
webapp = app1.pk
# allow web application for group
group1.can_web_applications.add(app1)
# Second call should be answered from cache
response = admin_client.get('/subauthreq/{}/'.format(webapp))
assert response.status_code == 200
response = admin_client.get('/subauthreq/{}/'.format(webapp))
assert response.status_code == 200
spy.assert_called_once()
def test_webapp_user_in_group(admin_client, admin_user):
app1 = WebApplication(name="app1",
link_show=True,
link_name="app1",
link_url="http://www.heise.de")
app1.save()
group = PortalGroup()
group.save()
admin_user.portal_groups.add(group)
response = admin_client.get('/welcome/')
# User is in group, but this group has the web app not enabled
assert not contains(response, "http://www.heise.de")
group.can_web_applications.add(app1)
response = admin_client.get('/welcome/')
# User is now in a group that has this web app enabled
assert contains(response, "http://www.heise.de")
assert 1 == str(response.content).count("http://www.heise.de")
app1.link_show = False
app1.save()
response = admin_client.get('/welcome/')
# User is now in a group that has this web app, but disabled
assert not contains(response, "http://www.heise.de")
def test_admin_attrib_modification_with_members(second_user):
future_admin_group = PortalGroup(name="Admins", can_admin=False)
future_admin_group.save()
future_admin_group.members.add(second_user)
second_user.refresh_from_db() # catch changes from signal handlers
assert second_user.is_staff is False
future_admin_group.can_admin = True
future_admin_group.save()
second_user.refresh_from_db() # catch changes from signal handlers
assert second_user.is_staff is True
future_admin_group.can_admin = False
future_admin_group.save()
second_user.refresh_from_db() # catch changes from signal handlers
assert second_user.is_staff is False
def test_approval_groups(admin_client, admin_user, client, second_user,
mailoutbox, random_namespace_name):
client.force_login(second_user)
assert second_user.state == second_user.NEW
response = client.post('/access/request/',
{'selected-administrator': admin_user.username})
assertRedirects(response, '/config/')
second_user.refresh_from_db()
approval_url = f"/admin/kubeportal/user/{second_user.approval_id}/approve/"
# We only check for non-special groups (all / K8s users) here, they are tested elsewhere
group1 = PortalGroup(name="Group the user does not have, and gets")
group1.save()
group2 = PortalGroup(name="Group the user already has, and keeps")
group2.save()
second_user.portal_groups.add(group2)
group3 = PortalGroup(
name="Group the user does not have, and still don't get")
group3.save()
group4 = PortalGroup(name="Group the user already has, and looses")
group4.save()
second_user.portal_groups.add(group4)
# Perform approval with new namespace as admin
assert second_user.state == second_user.ACCESS_REQUESTED
response = admin_client.post(
approval_url, {
'choice': 'approve_create',
'approve_create_name': random_namespace_name,
'comments': '',
'portal_groups': [group1.pk, group2.pk]
})
assertRedirects(response, '/admin/kubeportal/user/')
second_user.refresh_from_db()
assert second_user.k8s_namespaces()[0].name == random_namespace_name
assert second_user.state == second_user.ACCESS_APPROVED
assert group1 in list(second_user.portal_groups.all())
assert group2 in list(second_user.portal_groups.all())
assert group3 not in list(second_user.portal_groups.all())
assert group4 not in list(second_user.portal_groups.all())
assert second_user.answered_by != None
def test_admin_attrib_add_remove_user(second_user):
# Create admin group
admin_group = PortalGroup(name="Admins", can_admin=True)
admin_group.save()
# Non-member should not become admin
second_user.refresh_from_db() # catch changes from signal handlers
assert second_user.is_staff is False
# make member, should become admin
admin_group.members.add(second_user)
admin_group.save()
second_user.refresh_from_db() # catch changes from signal handlers
assert second_user.is_staff is True
# remove again from group, shopuld lose admin status
admin_group.members.remove(second_user)
admin_group.save()
second_user.refresh_from_db() # catch changes from signal handlers
assert second_user.is_staff is False
def test_group_non_member(api_client):
group1 = PortalGroup(name="group1")
group1.save()
response = api_client.get(
f'/api/{settings.API_VERSION}/groups/{group1.pk}/')
assert response.status_code == 404
def test_groups_denied(api_client_anon):
group1 = PortalGroup(name="group1")
group1.save()
response = api_client_anon.get(
f'/api/{settings.API_VERSION}/groups/{group1.pk}/')
assert response.status_code == 401
def test_model_methods(self):
admin_group = PortalGroup(name="Admins", can_admin=True)
admin_group.save()
admin_group.members.add(self.second_user)
self.assertEqual(admin_group.has_member(self.second_user), True)
def test_model_methods(second_user):
admin_group = PortalGroup(name="Admins", can_admin=True)
admin_group.save()
admin_group.members.add(second_user)
assert admin_group.has_member(second_user) is True
def test_group_non_member(self):
group1 = PortalGroup(name="group1")
group1.save()
response = self.get(f'/api/{API_VERSION}/groups/{group1.pk}/')
self.assertEqual(response.status_code, 403)
def handle(self, *args, **option):
try:
Token.objects.count()
except:
print(
"This is a fresh installation, not database exists. Skipping integrity check."
)
exit(0)
print("Checking for lost users in OIDC provider tokens ...")
for token in Token.objects.all():
try:
u = token.user
except ObjectDoesNotExist:
print(
f"Missing referenced user for OIDC provider token {token}. Deleting the token object."
)
token.delete()
print("Checking for lost users in OIDC provider codes ...")
for code in Code.objects.all():
try:
u = code.user
except ObjectDoesNotExist:
print(
f"Missing referenced user for OIDC provider code {code}. Deleting the code object."
)
code.delete()
print("Checking for lost users in OpenID consents ...")
for consent in UserConsent.objects.all():
try:
u = consent.user
except ObjectDoesNotExist:
print(
f"Missing referenced user for OpenID consent {consent}. Deleting the consent object."
)
consent.delete()
print("Checking for lost users in portal groups ...")
for group in PortalGroup.objects.all():
for entry in group.members.through.objects.all():
try:
u = entry.user
except ObjectDoesNotExist:
print(
f"Missing referenced user for group / user relation {entry}. Deleting the relation object."
)
entry.delete()
print("Deleting obsolete social auth tables ...")
with connection.cursor() as cursor:
for table in [
"social_auth_usersocialauth", "social_auth_partial",
"social_auth_nonce", "social_auth_code",
"social_auth_association"
]:
try:
cursor.execute(f"drop table {table};")
except:
pass # table already gone
print(
"Checking for lost namespaces in Kubernetes service accounts ...")
# The manager crashes on the normal "objects.all()" access, so we use the ID-based reference check here
for entry in KubernetesServiceAccount.objects.values():
try:
ns = KubernetesNamespace.objects.get(pk=entry['namespace_id'])
except:
print(
f"Missing referenced namespace for service account {entry}. Deleting the service account object."
)
broken_svca = KubernetesServiceAccount.objects.get(
pk=entry['id'])
broken_svca.delete()
print("Check for default portal groups ...")
has_admin_group = PortalGroup.objects.filter(can_admin=True).exists()
if not has_admin_group:
print("Creating missing default group 'Admin users")
admin_group = PortalGroup(name="Admin users", can_admin=True)
admin_group.save()