def test_adds_missing_accesspolicyartifacts(self):
# reconcile_access_for_artifact adds missing links.
product = self.factory.makeProduct()
bug = self.factory.makeBug(target=product)
reconcile_access_for_artifact(bug, InformationType.USERDATA, [])
self.assertPoliciesForBug([], bug)
reconcile_access_for_artifact(bug, InformationType.USERDATA, [product])
self.assertPoliciesForBug([(product, InformationType.USERDATA)], bug)
def test_creates_missing_accessartifact(self):
# reconcile_access_for_artifact creates an AccessArtifact for a
# private artifact if there isn't one already.
bug = self.factory.makeBug()
self.assertTrue(
getUtility(IAccessArtifactSource).find([bug]).is_empty())
reconcile_access_for_artifact(bug, InformationType.USERDATA, [])
self.assertFalse(
getUtility(IAccessArtifactSource).find([bug]).is_empty())
def test_adds_missing_accesspolicyartifacts(self):
# reconcile_access_for_artifact adds missing links.
product = self.factory.makeProduct()
bug = self.factory.makeBug(target=product)
reconcile_access_for_artifact(bug, InformationType.USERDATA, [])
self.assertPoliciesForBug([], bug)
reconcile_access_for_artifact(
bug, InformationType.USERDATA, [product])
self.assertPoliciesForBug([(product, InformationType.USERDATA)], bug)
def test_creates_missing_accessartifact(self):
# reconcile_access_for_artifact creates an AccessArtifact for a
# private artifact if there isn't one already.
bug = self.factory.makeBug()
self.assertTrue(
getUtility(IAccessArtifactSource).find([bug]).is_empty())
reconcile_access_for_artifact(bug, InformationType.USERDATA, [])
self.assertFalse(
getUtility(IAccessArtifactSource).find([bug]).is_empty())
def test_removes_extra_accessartifact(self):
# reconcile_access_for_artifact removes an AccessArtifact for a
# public artifact if there's one left over.
bug = self.factory.makeBug()
reconcile_access_for_artifact(bug, InformationType.USERDATA, [])
self.assertFalse(
getUtility(IAccessArtifactSource).find([bug]).is_empty())
reconcile_access_for_artifact(bug, InformationType.PUBLIC, [])
self.assertTrue(
getUtility(IAccessArtifactSource).find([bug]).is_empty())
def test_removes_extra_accessartifact(self):
# reconcile_access_for_artifact removes an AccessArtifact for a
# public artifact if there's one left over.
bug = self.factory.makeBug()
reconcile_access_for_artifact(bug, InformationType.USERDATA, [])
self.assertFalse(
getUtility(IAccessArtifactSource).find([bug]).is_empty())
reconcile_access_for_artifact(bug, InformationType.PUBLIC, [])
self.assertTrue(
getUtility(IAccessArtifactSource).find([bug]).is_empty())
def test_removes_extra_accesspolicyartifacts(self):
# reconcile_access_for_artifact removes excess links.
bug = self.factory.makeBug()
product = self.factory.makeProduct()
other_product = self.factory.makeProduct()
reconcile_access_for_artifact(bug, InformationType.USERDATA,
[product, other_product])
self.assertPoliciesForBug([(product, InformationType.USERDATA),
(other_product, InformationType.USERDATA)],
bug)
reconcile_access_for_artifact(bug, InformationType.USERDATA, [product])
self.assertPoliciesForBug([(product, InformationType.USERDATA)], bug)
def test_removes_extra_accesspolicyartifacts(self):
# reconcile_access_for_artifact removes excess links.
bug = self.factory.makeBug()
product = self.factory.makeProduct()
other_product = self.factory.makeProduct()
reconcile_access_for_artifact(
bug, InformationType.USERDATA, [product, other_product])
self.assertPoliciesForBug(
[(product, InformationType.USERDATA),
(other_product, InformationType.USERDATA)],
bug)
reconcile_access_for_artifact(
bug, InformationType.USERDATA, [product])
self.assertPoliciesForBug([(product, InformationType.USERDATA)], bug)
def transitionToInformationType(self, information_type, who):
"""See ISpecification."""
# avoid circular imports.
from lp.registry.model.accesspolicy import (
reconcile_access_for_artifact, )
if self.information_type == information_type:
return False
if information_type not in self.getAllowedInformationTypes(who):
raise CannotChangeInformationType("Forbidden by project policy.")
self.information_type = information_type
reconcile_access_for_artifact(self, information_type, [self.target])
if information_type in PRIVATE_INFORMATION_TYPES and self.subscribers:
# Grant the subscribers access if they do not have a
# policy grant.
service = getUtility(IService, 'sharing')
blind_subscribers = service.getPeopleWithoutAccess(
self, self.subscribers)
if len(blind_subscribers):
service.ensureAccessGrants(blind_subscribers,
who,
specifications=[self],
ignore_permissions=True)
return True
def transitionToInformationType(self, information_type, who):
"""See ISpecification."""
# avoid circular imports.
from lp.registry.model.accesspolicy import (
reconcile_access_for_artifact,
)
if self.information_type == information_type:
return False
if information_type not in self.getAllowedInformationTypes(who):
raise CannotChangeInformationType("Forbidden by project policy.")
self.information_type = information_type
reconcile_access_for_artifact(self, information_type, [self.target])
if information_type in PRIVATE_INFORMATION_TYPES and self.subscribers:
# Grant the subscribers access if they do not have a
# policy grant.
service = getUtility(IService, 'sharing')
blind_subscribers = service.getPeopleWithoutAccess(
self, self.subscribers)
if len(blind_subscribers):
service.ensureAccessGrants(
blind_subscribers, who, specifications=[self],
ignore_permissions=True)
return True
def _assert_artifact_change_unsubscribes(self, change_callback,
configure_test):
# Subscribers are unsubscribed if the artifact becomes invisible
# due to a change in information_type.
product = self.factory.makeProduct(
specification_sharing_policy=(
SpecificationSharingPolicy.EMBARGOED_OR_PROPRIETARY))
owner = self.factory.makePerson()
[policy] = getUtility(IAccessPolicySource).find(
[(product, InformationType.USERDATA)])
# The policy grantees will lose access.
policy_indirect_grantee = self.factory.makePerson()
policy_team_grantee = self.factory.makeTeam(
membership_policy=TeamMembershipPolicy.RESTRICTED,
members=[policy_indirect_grantee])
self.factory.makeAccessPolicyGrant(policy, policy_team_grantee, owner)
login_person(owner)
bug = self.factory.makeBug(
owner=owner, target=product,
information_type=InformationType.USERDATA)
branch = self.factory.makeBranch(
owner=owner, product=product,
information_type=InformationType.USERDATA)
specification = self.factory.makeSpecification(
owner=owner, product=product,
information_type=InformationType.PROPRIETARY)
# The artifact grantees will not lose access when the job is run.
artifact_indirect_grantee = self.factory.makePerson()
artifact_team_grantee = self.factory.makeTeam(
membership_policy=TeamMembershipPolicy.RESTRICTED,
members=[artifact_indirect_grantee])
bug.subscribe(artifact_indirect_grantee, owner)
branch.subscribe(artifact_indirect_grantee,
BranchSubscriptionNotificationLevel.NOEMAIL, None,
CodeReviewNotificationLevel.NOEMAIL, owner)
# Subscribing somebody to a specification does not automatically
# create an artifact grant.
spec_artifact = self.factory.makeAccessArtifact(specification)
self.factory.makeAccessArtifactGrant(
spec_artifact, artifact_indirect_grantee)
specification.subscribe(artifact_indirect_grantee, owner)
# pick one of the concrete artifacts (bug, branch or spec)
# and subscribe the teams and persons.
concrete_artifact, get_pillars, get_subscribers = configure_test(
bug, branch, specification, policy_team_grantee,
policy_indirect_grantee, artifact_team_grantee, owner)
# Subscribing policy_team_grantee has created an artifact grant so we
# need to revoke that to test the job.
artifact = self.factory.makeAccessArtifact(concrete=concrete_artifact)
getUtility(IAccessArtifactGrantSource).revokeByArtifact(
[artifact], [policy_team_grantee])
# policy grantees are subscribed because the job has not been run yet.
subscribers = get_subscribers(concrete_artifact)
self.assertIn(policy_team_grantee, subscribers)
self.assertIn(policy_indirect_grantee, subscribers)
# Change artifact attributes so that it can become inaccessible for
# some users.
change_callback(concrete_artifact)
reconcile_access_for_artifact(
concrete_artifact, concrete_artifact.information_type,
get_pillars(concrete_artifact))
getUtility(IRemoveArtifactSubscriptionsJobSource).create(
owner, [concrete_artifact])
with block_on_job(self):
transaction.commit()
# Check the result. Policy grantees will be unsubscribed.
subscribers = get_subscribers(concrete_artifact)
self.assertNotIn(policy_team_grantee, subscribers)
self.assertNotIn(policy_indirect_grantee, subscribers)
self.assertIn(artifact_team_grantee, subscribers)
self.assertIn(artifact_indirect_grantee, bug.getDirectSubscribers())
self.assertIn(artifact_indirect_grantee, branch.subscribers)
self.assertIn(artifact_indirect_grantee, specification.subscribers)
def _assert_artifact_change_unsubscribes(self, change_callback,
configure_test):
# Subscribers are unsubscribed if the artifact becomes invisible
# due to a change in information_type.
product = self.factory.makeProduct(specification_sharing_policy=(
SpecificationSharingPolicy.EMBARGOED_OR_PROPRIETARY))
owner = self.factory.makePerson()
[policy] = getUtility(IAccessPolicySource).find([
(product, InformationType.USERDATA)
])
# The policy grantees will lose access.
policy_indirect_grantee = self.factory.makePerson()
policy_team_grantee = self.factory.makeTeam(
membership_policy=TeamMembershipPolicy.RESTRICTED,
members=[policy_indirect_grantee])
self.factory.makeAccessPolicyGrant(policy, policy_team_grantee, owner)
login_person(owner)
bug = self.factory.makeBug(owner=owner,
target=product,
information_type=InformationType.USERDATA)
branch = self.factory.makeBranch(
owner=owner,
product=product,
information_type=InformationType.USERDATA)
specification = self.factory.makeSpecification(
owner=owner,
product=product,
information_type=InformationType.PROPRIETARY)
# The artifact grantees will not lose access when the job is run.
artifact_indirect_grantee = self.factory.makePerson()
artifact_team_grantee = self.factory.makeTeam(
membership_policy=TeamMembershipPolicy.RESTRICTED,
members=[artifact_indirect_grantee])
bug.subscribe(artifact_indirect_grantee, owner)
branch.subscribe(artifact_indirect_grantee,
BranchSubscriptionNotificationLevel.NOEMAIL, None,
CodeReviewNotificationLevel.NOEMAIL, owner)
# Subscribing somebody to a specification does not automatically
# create an artifact grant.
spec_artifact = self.factory.makeAccessArtifact(specification)
self.factory.makeAccessArtifactGrant(spec_artifact,
artifact_indirect_grantee)
specification.subscribe(artifact_indirect_grantee, owner)
# pick one of the concrete artifacts (bug, branch or spec)
# and subscribe the teams and persons.
concrete_artifact, get_pillars, get_subscribers = configure_test(
bug, branch, specification, policy_team_grantee,
policy_indirect_grantee, artifact_team_grantee, owner)
# Subscribing policy_team_grantee has created an artifact grant so we
# need to revoke that to test the job.
artifact = self.factory.makeAccessArtifact(concrete=concrete_artifact)
getUtility(IAccessArtifactGrantSource).revokeByArtifact(
[artifact], [policy_team_grantee])
# policy grantees are subscribed because the job has not been run yet.
subscribers = get_subscribers(concrete_artifact)
self.assertIn(policy_team_grantee, subscribers)
self.assertIn(policy_indirect_grantee, subscribers)
# Change artifact attributes so that it can become inaccessible for
# some users.
change_callback(concrete_artifact)
reconcile_access_for_artifact(concrete_artifact,
concrete_artifact.information_type,
get_pillars(concrete_artifact))
getUtility(IRemoveArtifactSubscriptionsJobSource).create(
owner, [concrete_artifact])
with block_on_job(self):
transaction.commit()
# Check the result. Policy grantees will be unsubscribed.
subscribers = get_subscribers(concrete_artifact)
self.assertNotIn(policy_team_grantee, subscribers)
self.assertNotIn(policy_indirect_grantee, subscribers)
self.assertIn(artifact_team_grantee, subscribers)
self.assertIn(artifact_indirect_grantee, bug.getDirectSubscribers())
self.assertIn(artifact_indirect_grantee, branch.subscribers)
self.assertIn(artifact_indirect_grantee, specification.subscribers)
