def role_assignment_for_global_scope(role_for_global_scope):
yield RoleAssignment(
domain={
"scope": "Global",
},
role=role_for_global_scope,
)
def role_assignment_for_system_scope(role_for_system_scope):
yield RoleAssignment(
domain={
"scope": "System",
"identifiers": {"name": "testsystem1", "namespace": "testgarden"},
},
role=role_for_system_scope,
)
def user_to_sync(self):
role = Role(name="role1").save()
role_assignment = RoleAssignment(role=role, domain={"scope": "Global"})
user = User(username="******",
password="******",
role_assignments=[role_assignment])
yield user
role.delete()
def role_assignment(self, role):
return RoleAssignment(
role=role,
domain={
"scope": "Garden",
"identifiers": {
"name": "test_garden"
}
},
)
def user_admin(user_admin_role):
role_assignment = RoleAssignment(role=user_admin_role,
domain={"scope": "Global"})
user = User(username="******")
user.set_password("password")
user.role_assignments = [role_assignment]
user.save()
yield user
user.delete()
def role_assignment_empty_identifiers(self, role):
return RoleAssignment(
role=role,
domain={
"scope": "System",
"identifiers": {
"namespace": "",
"name": "testsystem"
},
},
)
def user_with_permission(event_forward_role):
role_assignment = RoleAssignment(
role=event_forward_role,
domain={
"scope": "Global",
},
)
user = User(username="******", role_assignments=[role_assignment]).save()
yield user
user.delete()
def load_obj(self, item, **kwargs):
role_id = item.get("role_id")
role_name = item.get("role_name")
role_assignment = RoleAssignment(domain=RoleAssignmentDomain(
scope=item["domain"].get("scope"),
identifiers=item["domain"].get("identifiers"),
))
try:
if role_id:
role_assignment.role = Role.objects.get(id=role_id)
elif role_name:
role_assignment.role = Role.objects.get(name=role_name)
else:
raise ValidationError(
"Either role_id or role_name must be specified")
except Role.DoesNotExist:
raise ValidationError(
f"Could not find role with id = {role_id} or name = {role_name}"
)
return role_assignment
def user(garden_permitted, garden_admin_role, garden_create_role):
role_assignments = [
RoleAssignment(
role=garden_admin_role,
domain={
"scope": "Garden",
"identifiers": {
"name": garden_permitted.name,
},
},
),
RoleAssignment(
role=garden_create_role,
domain={
"scope": "Global",
},
),
]
user = User(username="******", role_assignments=role_assignments).save()
yield user
user.delete()
def user_with_role_assignments():
role = Role(name="assignedrole1", permissions=["garden:read"]).save()
role_assignment = RoleAssignment(domain={
"scope": "Garden",
"identifiers": {
"name": "garden1"
}
},
role=role)
user = User(username="******", role_assignments=[role_assignment]).save()
yield user
user.delete()
role.delete()
def read_only_user(garden_permitted, garden_read_role):
role_assignment = RoleAssignment(
role=garden_read_role,
domain={
"scope": "Garden",
"identifiers": {
"name": garden_permitted.name,
},
},
)
user = User(username="******", role_assignments=[role_assignment]).save()
yield user
user.delete()
def user_with_permission(garden_permitted, queue_manager_role):
role_assignment = RoleAssignment(
role=queue_manager_role,
domain={
"scope": "Garden",
"identifiers": {
"name": garden_permitted.name,
},
},
)
user = User(username="******", role_assignments=[role_assignment]).save()
yield user
user.delete()
def user_with_permission(garden, garden_admin_role):
role_assignment = RoleAssignment(
role=garden_admin_role,
domain={
"scope": "Garden",
"identifiers": {
"name": garden.name
},
},
)
user = User(username="******", role_assignments=[role_assignment]).save()
yield user
user.delete()
def ensure_users():
"""Create the default admin user if necessary"""
if User.objects.count() == 0:
username = config.get("auth.default_admin.username")
password = config.get("auth.default_admin.password")
superuser_role = Role.objects.get(name="superuser")
logger.info("Creating default admin user with username: %s", username)
admin = User(username=username)
admin.set_password(password)
admin.role_assignments = [
RoleAssignment(role=superuser_role, domain={"scope": "Global"})
]
admin.save()
def user(request_permitted, operator_role):
role_assignment = RoleAssignment(
role=operator_role,
domain={
"scope": "System",
"identifiers": {
"name": request_permitted.system,
"namespace": request_permitted.namespace,
},
},
)
user = User(username="******", role_assignments=[role_assignment]).save()
yield user
user.delete()
def user(system_permitted, system_read_role):
role_assignment = RoleAssignment(
role=system_read_role,
domain={
"scope": "System",
"identifiers": {
"name": system_permitted.name,
"namespace": system_permitted.namespace,
},
},
)
user = User(username="******", role_assignments=[role_assignment]).save()
yield user
user.delete()
def test_auth_enabled_allows_sync_users_patch_with_permissions_to_all_gardens(
self,
monkeypatch,
http_client,
base_url,
app_config_auth_enabled,
user,
garden_admin_role,
):
monkeypatch.setattr(
beer_garden.api.http.handlers.v1.garden, "initiate_user_sync", Mock()
)
user.role_assignments.append(
RoleAssignment(
role=garden_admin_role,
domain={
"scope": "Global",
},
),
)
access_token = issue_token_pair(user)["access"]
url = f"{base_url}/api/v1/gardens"
headers = {
"Authorization": f"Bearer {access_token}",
"Content-Type": "application/json",
}
patch_body = {
"operation": "sync_users",
}
request = HTTPRequest(
url, method="PATCH", headers=headers, body=json.dumps(patch_body)
)
response = yield http_client.fetch(request)
assert response.code == 204
assert beer_garden.api.http.handlers.v1.garden.initiate_user_sync.called is True
def test_auth_enabled_allows_post_permitted_system(
self,
http_client,
base_url,
app_config_auth_enabled,
garden,
user,
system_admin_role,
system_cleanup,
):
garden_role_assignment = RoleAssignment(
role=system_admin_role,
domain={"scope": "Garden", "identifiers": {"name": garden.name}},
)
user.role_assignments.append(garden_role_assignment)
access_token = issue_token_pair(user)["access"]
url = f"{base_url}/api/v1/systems"
headers = {"Authorization": f"Bearer {access_token}"}
post_body = {
"version": "1.0.0",
"namespace": garden.name,
"name": "newsystem",
"commands": [
{
"name": "mycommand",
}
],
}
request = HTTPRequest(
url, method="POST", headers=headers, body=json.dumps(post_body)
)
response = yield http_client.fetch(request)
assert response.code == 201
assert len(System.objects.filter(name="newsystem", namespace=garden.name)) == 1
def load_obj(self, item, **kwargs):
item["role"] = self._role
del item["role_name"]
return RoleAssignment(**item)
def role_assignment_for_garden_scope(role_for_garden_scope):
yield RoleAssignment(
domain={"scope": "Garden", "identifiers": {"name": "testgarden"}},
role=role_for_garden_scope,
)
def role_assignment_missing_identifiers(self, role):
return RoleAssignment(role=role, domain={"scope": "Garden"})