def test_inactive_user_group_does_not_affect_repo_permissions_inverse(self):
self.ug1 = fixture.create_user_group(u'G1')
self.ug1.inherit_default_permissions = False
user_group_model = UserGroupModel()
user_group_model.add_user_to_group(self.ug1, self.u1)
user_group_model.update(self.ug1, {'users_group_active': False})
# note: make u2 repo owner rather than u1, because the owner always has
# admin permissions
self.test_repo = fixture.create_repo(name=u'myownrepo',
repo_type='hg',
cur_user=self.u2)
# enable only write access for user group on repo
RepoModel().grant_user_group_permission(self.test_repo,
group_name=self.ug1,
perm='repository.write')
# enable admin access for default user on repo
RepoModel().grant_user_permission(self.test_repo,
user='******',
perm='repository.admin')
Session().commit()
u1_auth = AuthUser(user_id=self.u1.user_id)
self.assertEqual(u1_auth.permissions['repositories']['myownrepo'],
'repository.admin')
def test_enforce_groups(self, pre_existing, regular_should_be,
external_should_be, groups, expected):
# delete all groups
for gr in UserGroup.query():
fixture.destroy_user_group(gr)
Session().commit()
user = User.get_by_username(base.TEST_USER_REGULAR_LOGIN)
for gr in pre_existing:
gr = fixture.create_user_group(gr)
Session().commit()
# make sure use is just in those groups
for gr in regular_should_be:
gr = fixture.create_user_group(gr)
Session().commit()
UserGroupModel().add_user_to_group(gr, user)
Session().commit()
# now special external groups created by auth plugins
for gr in external_should_be:
gr = fixture.create_user_group(
gr, user_group_data={'extern_type': 'container'})
Session().commit()
UserGroupModel().add_user_to_group(gr, user)
Session().commit()
UserGroupModel().enforce_groups(user, groups, 'container')
Session().commit()
user = User.get_by_username(base.TEST_USER_REGULAR_LOGIN)
in_groups = user.group_member
assert sorted(expected) == sorted(x.users_group.users_group_name
for x in in_groups)
def test_repo_group_user_as_user_group_member(self):
# create Group1
self.g1 = fixture.create_repo_group(u'group1', skip_if_exists=True)
a1_auth = AuthUser(user_id=self.anon.user_id)
assert a1_auth.permissions['repositories_groups'] == {
u'group1': u'group.read'
}
# set default permission to none
RepoGroupModel().grant_user_permission(repo_group=self.g1,
user=self.anon,
perm='group.none')
# make group
self.ug1 = fixture.create_user_group(u'G1')
# add user to group
UserGroupModel().add_user_to_group(self.ug1, self.u1)
Session().commit()
# check if user is in the group
members = [
x.user_id
for x in UserGroupModel().get(self.ug1.users_group_id).members
]
assert members == [self.u1.user_id]
# add some user to that group
# check his permissions
a1_auth = AuthUser(user_id=self.anon.user_id)
assert a1_auth.permissions['repositories_groups'] == {
u'group1': u'group.none'
}
u1_auth = AuthUser(user_id=self.u1.user_id)
assert u1_auth.permissions['repositories_groups'] == {
u'group1': u'group.none'
}
# grant ug1 read permissions for
RepoGroupModel().grant_user_group_permission(repo_group=self.g1,
group_name=self.ug1,
perm='group.read')
Session().commit()
# check if the
obj = Session().query(UserGroupRepoGroupToPerm) \
.filter(UserGroupRepoGroupToPerm.group == self.g1) \
.filter(UserGroupRepoGroupToPerm.users_group == self.ug1) \
.scalar()
assert obj.permission.permission_name == 'group.read'
a1_auth = AuthUser(user_id=self.anon.user_id)
assert a1_auth.permissions['repositories_groups'] == {
u'group1': u'group.none'
}
u1_auth = AuthUser(user_id=self.u1.user_id)
assert u1_auth.permissions['repositories_groups'] == {
u'group1': u'group.read'
}
def test_ValidUserGroup(self):
validator = v.ValidUserGroup()
with pytest.raises(formencode.Invalid):
validator.to_python('default')
with pytest.raises(formencode.Invalid):
validator.to_python('.,')
gr = fixture.create_user_group('test')
gr2 = fixture.create_user_group('tes2')
Session().commit()
with pytest.raises(formencode.Invalid):
validator.to_python('test')
assert gr.users_group_id is not None
validator = v.ValidUserGroup(
edit=True, old_data={'users_group_id': gr2.users_group_id})
with pytest.raises(formencode.Invalid):
validator.to_python('test')
with pytest.raises(formencode.Invalid):
validator.to_python('TesT')
with pytest.raises(formencode.Invalid):
validator.to_python('TEST')
UserGroupModel().delete(gr)
UserGroupModel().delete(gr2)
Session().commit()
def delete_perms(self, id):
"""
DELETE an existing repository group permission user
:param group_name:
"""
try:
obj_type = request.POST.get('obj_type')
obj_id = None
if obj_type == 'user':
obj_id = safe_int(request.POST.get('user_id'))
elif obj_type == 'user_group':
obj_id = safe_int(request.POST.get('user_group_id'))
if not c.authuser.is_admin:
if obj_type == 'user' and c.authuser.user_id == obj_id:
msg = _('Cannot revoke permission for yourself as admin')
h.flash(msg, category='warning')
raise Exception('revoke admin permission on self')
if obj_type == 'user':
UserGroupModel().revoke_user_permission(user_group=id,
user=obj_id)
elif obj_type == 'user_group':
UserGroupModel().revoke_user_group_permission(
target_user_group=id, user_group=obj_id)
Session().commit()
except Exception:
log.error(traceback.format_exc())
h.flash(_('An error occurred during revoking of permission'),
category='error')
raise HTTPInternalServerError()
def test_create_and_remove(self):
usr = UserModel().create_or_update(username=u'test_user',
password=u'qweqwe',
email=u'*****@*****.**',
firstname=u'u1', lastname=u'u1')
Session().commit()
assert User.get_by_username(u'test_user') == usr
assert User.get_by_username(u'test_USER', case_insensitive=True) == usr
# User.get_by_username without explicit request for case insensitivty
# will use database case sensitivity. The following will thus return
# None on for example PostgreSQL but find test_user on MySQL - we are
# fine with leaving that as undefined as long as it doesn't crash.
User.get_by_username(u'test_USER', case_insensitive=False)
# make user group
user_group = fixture.create_user_group(u'some_example_group')
Session().commit()
UserGroupModel().add_user_to_group(user_group, usr)
Session().commit()
assert UserGroup.get(user_group.users_group_id) == user_group
assert UserGroupMember.query().count() == 1
UserModel().delete(usr.user_id)
Session().commit()
assert UserGroupMember.query().all() == []
def test_propagated_permission_from_users_group(self):
# make group
self.ug1 = fixture.create_user_group('G1')
UserGroupModel().add_user_to_group(self.ug1, self.u3)
# grant perm for group this should override default permission from user
new_perm_gr = 'repository.write'
RepoModel().grant_user_group_permission(repo=HG_REPO,
group_name=self.ug1,
perm=new_perm_gr)
# check perms
u3_auth = AuthUser(user_id=self.u3.user_id)
perms = {
'repositories_groups': {},
'global':
set([
u'hg.create.repository', u'repository.read',
u'hg.register.manual_activate'
]),
'repositories': {
u'vcs_test_hg': u'repository.read'
}
}
self.assertEqual(u3_auth.permissions['repositories'][HG_REPO],
new_perm_gr)
self.assertEqual(u3_auth.permissions['repositories_groups'],
perms['repositories_groups'])
def create(self):
"""POST /users_groups: Create a new item"""
# url('users_groups')
users_group_form = UserGroupForm()()
try:
form_result = users_group_form.to_python(dict(request.POST))
ug = UserGroupModel().create(
name=form_result['users_group_name'],
description=form_result['user_group_description'],
owner=self.authuser.user_id,
active=form_result['users_group_active'])
gr = form_result['users_group_name']
action_logger(self.authuser, 'admin_created_users_group:%s' % gr,
None, self.ip_addr, self.sa)
h.flash(h.literal(
_('Created user group %s') %
h.link_to(h.escape(gr),
url('edit_users_group', id=ug.users_group_id))),
category='success')
Session().commit()
except formencode.Invalid, errors:
return htmlfill.render(
render('admin/user_groups/user_group_add.html'),
defaults=errors.value,
errors=errors.error_dict or {},
prefix_error=False,
encoding="UTF-8",
force_defaults=False)
def test_enforce_groups(self, pre_existing, regular_should_be,
external_should_be, groups, expected):
# delete all groups
for gr in UserGroupModel.get_all():
fixture.destroy_user_group(gr)
Session().commit()
user = User.get_by_username(TEST_USER_REGULAR_LOGIN)
for gr in pre_existing:
gr = fixture.create_user_group(gr)
Session().commit()
# make sure use is just in those groups
for gr in regular_should_be:
gr = fixture.create_user_group(gr)
Session().commit()
UserGroupModel().add_user_to_group(gr, user)
Session().commit()
# now special external groups created by auth plugins
for gr in external_should_be:
gr = fixture.create_user_group(gr, user_group_data={'extern_type': 'container'})
Session().commit()
UserGroupModel().add_user_to_group(gr, user)
Session().commit()
UserGroupModel().enforce_groups(user, groups, 'container')
Session().commit()
user = User.get_by_username(TEST_USER_REGULAR_LOGIN)
in_groups = user.group_member
self.assertEqual(expected, [x.users_group.users_group_name for x in in_groups])
def create(self):
users_group_form = UserGroupForm()()
try:
form_result = users_group_form.to_python(dict(request.POST))
ug = UserGroupModel().create(
name=form_result['users_group_name'],
description=form_result['user_group_description'],
owner=request.authuser.user_id,
active=form_result['users_group_active'])
gr = form_result['users_group_name']
action_logger(request.authuser,
'admin_created_users_group:%s' % gr, None,
request.ip_addr)
h.flash(
h.HTML(_('Created user group %s')) %
h.link_to(gr, url('edit_users_group', id=ug.users_group_id)),
category='success')
Session().commit()
except formencode.Invalid as errors:
return htmlfill.render(
render('admin/user_groups/user_group_add.html'),
defaults=errors.value,
errors=errors.error_dict or {},
prefix_error=False,
encoding="UTF-8",
force_defaults=False)
except Exception:
log.error(traceback.format_exc())
h.flash(_('Error occurred during creation of user group %s') %
request.POST.get('users_group_name'),
category='error')
raise HTTPFound(location=url('users_groups'))
def edit_default_perms(self, id):
c.user_group = UserGroup.get_or_404(id)
c.active = 'default_perms'
permissions = {
'repositories': {},
'repositories_groups': {}
}
ugroup_repo_perms = UserGroupRepoToPerm.query() \
.options(joinedload(UserGroupRepoToPerm.permission)) \
.options(joinedload(UserGroupRepoToPerm.repository)) \
.filter(UserGroupRepoToPerm.users_group_id == id) \
.all()
for gr in ugroup_repo_perms:
permissions['repositories'][gr.repository.repo_name] \
= gr.permission.permission_name
ugroup_group_perms = UserGroupRepoGroupToPerm.query() \
.options(joinedload(UserGroupRepoGroupToPerm.permission)) \
.options(joinedload(UserGroupRepoGroupToPerm.group)) \
.filter(UserGroupRepoGroupToPerm.users_group_id == id) \
.all()
for gr in ugroup_group_perms:
permissions['repositories_groups'][gr.group.group_name] \
= gr.permission.permission_name
c.permissions = permissions
ug_model = UserGroupModel()
defaults = c.user_group.get_dict()
defaults.update({
'create_repo_perm': ug_model.has_perm(c.user_group,
'hg.create.repository'),
'create_user_group_perm': ug_model.has_perm(c.user_group,
'hg.usergroup.create.true'),
'fork_repo_perm': ug_model.has_perm(c.user_group,
'hg.fork.repository'),
})
return htmlfill.render(
render('admin/user_groups/user_group_edit.html'),
defaults=defaults,
encoding="UTF-8",
force_defaults=False
)
def update(self, id):
"""PUT /user_groups/id: Update an existing item"""
# Forms posted to this method should contain a hidden field:
# <input type="hidden" name="_method" value="PUT" />
# Or using helpers:
# h.form(url('users_group', id=ID),
# method='put')
# url('users_group', id=ID)
c.user_group = UserGroup.get_or_404(id)
c.active = 'settings'
self.__load_data(id)
available_members = [safe_unicode(x[0]) for x in c.available_members]
users_group_form = UserGroupForm(edit=True,
old_data=c.user_group.get_dict(),
available_members=available_members)()
try:
form_result = users_group_form.to_python(request.POST)
UserGroupModel().update(c.user_group, form_result)
gr = form_result['users_group_name']
action_logger(self.authuser,
'admin_updated_users_group:%s' % gr,
None, self.ip_addr, self.sa)
h.flash(_('Updated user group %s') % gr, category='success')
Session().commit()
except formencode.Invalid, errors:
ug_model = UserGroupModel()
defaults = errors.value
e = errors.error_dict or {}
defaults.update({
'create_repo_perm': ug_model.has_perm(id,
'hg.create.repository'),
'fork_repo_perm': ug_model.has_perm(id,
'hg.fork.repository'),
'_method': 'put'
})
return htmlfill.render(
render('admin/user_groups/user_group_edit.html'),
defaults=defaults,
errors=e,
prefix_error=False,
encoding="UTF-8",
force_defaults=False)
def update(self, id):
"""PUT /user_groups/id: Update an existing item"""
# Forms posted to this method should contain a hidden field:
# <input type="hidden" name="_method" value="PUT" />
# Or using helpers:
# h.form(url('users_group', id=ID),
# method='put')
# url('users_group', id=ID)
c.user_group = UserGroup.get_or_404(id)
c.active = 'settings'
self.__load_data(id)
available_members = [safe_unicode(x[0]) for x in c.available_members]
users_group_form = UserGroupForm(edit=True,
old_data=c.user_group.get_dict(),
available_members=available_members)()
try:
form_result = users_group_form.to_python(request.POST)
UserGroupModel().update(c.user_group, form_result)
gr = form_result['users_group_name']
action_logger(self.authuser, 'admin_updated_users_group:%s' % gr,
None, self.ip_addr, self.sa)
h.flash(_('Updated user group %s') % gr, category='success')
Session().commit()
except formencode.Invalid, errors:
ug_model = UserGroupModel()
defaults = errors.value
e = errors.error_dict or {}
defaults.update({
'create_repo_perm':
ug_model.has_perm(id, 'hg.create.repository'),
'fork_repo_perm':
ug_model.has_perm(id, 'hg.fork.repository'),
'_method':
'put'
})
return htmlfill.render(
render('admin/user_groups/user_group_edit.html'),
defaults=defaults,
errors=e,
prefix_error=False,
encoding="UTF-8",
force_defaults=False)
def update(self, id):
c.user_group = UserGroup.get_or_404(id)
c.active = 'settings'
self.__load_data(id)
available_members = [safe_str(x[0]) for x in c.available_members]
users_group_form = UserGroupForm(edit=True,
old_data=c.user_group.get_dict(),
available_members=available_members)()
try:
form_result = users_group_form.to_python(request.POST)
UserGroupModel().update(c.user_group, form_result)
gr = form_result['users_group_name']
action_logger(request.authuser,
'admin_updated_users_group:%s' % gr, None,
request.ip_addr)
h.flash(_('Updated user group %s') % gr, category='success')
Session().commit()
except formencode.Invalid as errors:
ug_model = UserGroupModel()
defaults = errors.value
e = errors.error_dict or {}
defaults.update({
'create_repo_perm':
ug_model.has_perm(id, 'hg.create.repository'),
'fork_repo_perm':
ug_model.has_perm(id, 'hg.fork.repository'),
})
return htmlfill.render(
render('admin/user_groups/user_group_edit.html'),
defaults=defaults,
errors=e,
prefix_error=False,
encoding="UTF-8",
force_defaults=False)
except Exception:
log.error(traceback.format_exc())
h.flash(_('Error occurred during update of user group %s') %
request.POST.get('users_group_name'),
category='error')
raise HTTPFound(location=url('edit_users_group', id=id))
def update(self, id):
c.user_group = UserGroup.get_or_404(id)
c.active = 'settings'
self.__load_data(id)
available_members = [safe_unicode(x[0]) for x in c.available_members]
users_group_form = UserGroupForm(edit=True,
old_data=c.user_group.get_dict(),
available_members=available_members)()
try:
form_result = users_group_form.to_python(request.POST)
UserGroupModel().update(c.user_group, form_result)
gr = form_result['users_group_name']
action_logger(request.authuser,
'admin_updated_users_group:%s' % gr,
None, request.ip_addr)
h.flash(_('Updated user group %s') % gr, category='success')
Session().commit()
except formencode.Invalid as errors:
ug_model = UserGroupModel()
defaults = errors.value
e = errors.error_dict or {}
defaults.update({
'create_repo_perm': ug_model.has_perm(id,
'hg.create.repository'),
'fork_repo_perm': ug_model.has_perm(id,
'hg.fork.repository'),
})
return htmlfill.render(
render('admin/user_groups/user_group_edit.html'),
defaults=defaults,
errors=e,
prefix_error=False,
encoding="UTF-8",
force_defaults=False)
except Exception:
log.error(traceback.format_exc())
h.flash(_('Error occurred during update of user group %s') \
% request.POST.get('users_group_name'), category='error')
raise HTTPFound(location=url('edit_users_group', id=id))
def edit_default_perms(self, id):
c.user_group = UserGroup.get_or_404(id)
c.active = 'default_perms'
permissions = {'repositories': {}, 'repositories_groups': {}}
ugroup_repo_perms = UserGroupRepoToPerm.query()\
.options(joinedload(UserGroupRepoToPerm.permission))\
.options(joinedload(UserGroupRepoToPerm.repository))\
.filter(UserGroupRepoToPerm.users_group_id == id)\
.all()
for gr in ugroup_repo_perms:
permissions['repositories'][gr.repository.repo_name] \
= gr.permission.permission_name
ugroup_group_perms = UserGroupRepoGroupToPerm.query()\
.options(joinedload(UserGroupRepoGroupToPerm.permission))\
.options(joinedload(UserGroupRepoGroupToPerm.group))\
.filter(UserGroupRepoGroupToPerm.users_group_id == id)\
.all()
for gr in ugroup_group_perms:
permissions['repositories_groups'][gr.group.group_name] \
= gr.permission.permission_name
c.permissions = permissions
ug_model = UserGroupModel()
defaults = c.user_group.get_dict()
defaults.update({
'create_repo_perm':
ug_model.has_perm(c.user_group, 'hg.create.repository'),
'create_user_group_perm':
ug_model.has_perm(c.user_group, 'hg.usergroup.create.true'),
'fork_repo_perm':
ug_model.has_perm(c.user_group, 'hg.fork.repository'),
})
return htmlfill.render(
render('admin/user_groups/user_group_edit.html'),
defaults=defaults,
encoding="UTF-8",
force_defaults=False)
def test_inactive_user_group_does_not_affect_repo_group_permissions_inverse(self):
self.ug1 = fixture.create_user_group(u'G1')
self.ug1.inherit_default_permissions = False
user_group_model = UserGroupModel()
user_group_model.add_user_to_group(self.ug1, self.u1)
user_group_model.update(self.ug1, {'users_group_active': False})
self.g1 = fixture.create_repo_group(u'group1', skip_if_exists=True)
# enable only write access for user group on repo group
RepoGroupModel().grant_user_group_permission(self.g1,
group_name=self.ug1,
perm='group.write')
# enable admin access for default user on repo group
RepoGroupModel().grant_user_permission(self.g1,
user='******',
perm='group.admin')
Session().commit()
u1_auth = AuthUser(user_id=self.u1.user_id)
assert u1_auth.permissions['repositories_groups'] == {u'group1': u'group.admin'}
def test_inactive_user_group_does_not_affect_user_group_permissions_inverse(self):
self.ug1 = fixture.create_user_group(u'G1')
self.ug1.inherit_default_permissions = False
user_group_model = UserGroupModel()
user_group_model.add_user_to_group(self.ug1, self.u1)
user_group_model.update(self.ug1, {'users_group_active': False})
self.ug2 = fixture.create_user_group(u'G2')
# enable only write access for user group on user group
UserGroupModel().grant_user_group_permission(self.ug2,
user_group=self.ug1,
perm='usergroup.write')
# enable admin access for default user on user group
UserGroupModel().grant_user_permission(self.ug2,
user='******',
perm='usergroup.admin')
Session().commit()
u1_auth = AuthUser(user_id=self.u1.user_id)
self.assertEqual(u1_auth.permissions['user_groups'][u'G1'], u'usergroup.read')
self.assertEqual(u1_auth.permissions['user_groups'][u'G2'], u'usergroup.admin')
def test_inactive_user_group_does_not_affect_repo_permissions_inverse(
self):
self.ug1 = fixture.create_user_group(u'G1')
self.ug1.inherit_default_permissions = False
user_group_model = UserGroupModel()
user_group_model.add_user_to_group(self.ug1, self.u1)
user_group_model.update(self.ug1, {'users_group_active': False})
# note: make u2 repo owner rather than u1, because the owner always has
# admin permissions
self.test_repo = fixture.create_repo(name=u'myownrepo',
repo_type='hg',
cur_user=self.u2)
# enable only write access for user group on repo
RepoModel().grant_user_group_permission(self.test_repo,
group_name=self.ug1,
perm='repository.write')
# enable admin access for default user on repo
RepoModel().grant_user_permission(self.test_repo,
user='******',
perm='repository.admin')
Session().commit()
u1_auth = AuthUser(user_id=self.u1.user_id)
assert u1_auth.permissions['repositories'][
'myownrepo'] == 'repository.admin'
def delete(self, id):
usr_gr = UserGroup.get_or_404(id)
try:
UserGroupModel().delete(usr_gr)
Session().commit()
h.flash(_('Successfully deleted user group'), category='success')
except UserGroupsAssignedException as e:
h.flash(e, category='error')
except Exception:
log.error(traceback.format_exc())
h.flash(_('An error occurred during deletion of user group'),
category='error')
raise HTTPFound(location=url('users_groups'))
def test_propagated_permission_from_users_group(self):
# make group
self.ug1 = fixture.create_user_group('G1')
UserGroupModel().add_user_to_group(self.ug1, self.u3)
# grant perm for group this should override default permission from user
new_perm_gr = 'repository.write'
RepoModel().grant_user_group_permission(repo=base.HG_REPO,
group_name=self.ug1,
perm=new_perm_gr)
# check perms
u3_auth = AuthUser(user_id=self.u3.user_id)
assert u3_auth.permissions['repositories'][base.HG_REPO] == new_perm_gr
def teardown_method(self, method):
if hasattr(self, 'test_repo'):
RepoModel().delete(repo=self.test_repo)
UserModel().delete(self.u1)
UserModel().delete(self.u2)
UserModel().delete(self.u3)
UserModel().delete(self.a1)
Session().commit(
) # commit early to avoid SQLAlchemy warning from double cascade delete to users_groups_members
if hasattr(self, 'g1'):
RepoGroupModel().delete(self.g1.group_id)
if hasattr(self, 'g2'):
RepoGroupModel().delete(self.g2.group_id)
if hasattr(self, 'ug2'):
UserGroupModel().delete(self.ug2, force=True)
if hasattr(self, 'ug1'):
UserGroupModel().delete(self.ug1, force=True)
Session().commit()
def delete(self, id):
"""DELETE /user_groups/id: Delete an existing item"""
# Forms posted to this method should contain a hidden field:
# <input type="hidden" name="_method" value="DELETE" />
# Or using helpers:
# h.form(url('users_group', id=ID),
# method='delete')
# url('users_group', id=ID)
usr_gr = UserGroup.get_or_404(id)
try:
UserGroupModel().delete(usr_gr)
Session().commit()
h.flash(_('Successfully deleted user group'), category='success')
except UserGroupsAssignedException, e:
h.flash(e, category='error')
def setup_module():
global test_u2_id, test_u2_gr_id, _get_repo_perms, _get_group_perms
test_u2 = _create_project_tree()
Session().commit()
test_u2_id = test_u2.user_id
gr1 = fixture.create_user_group(u'perms_group_1')
Session().commit()
test_u2_gr_id = gr1.users_group_id
UserGroupModel().add_user_to_group(gr1, user=test_u2_id)
Session().commit()
_get_repo_perms = functools.partial(_get_perms, key='repositories',
test_u1_id=test_u2_id)
_get_group_perms = functools.partial(_get_perms, key='repositories_groups',
test_u1_id=test_u2_id)
def create_user_group(self, name, **kwargs):
if 'skip_if_exists' in kwargs:
del kwargs['skip_if_exists']
gr = UserGroup.get_by_group_name(group_name=name)
if gr:
return gr
form_data = self._get_user_group_create_params(name, **kwargs)
owner = kwargs.get('cur_user', TEST_USER_ADMIN_LOGIN)
user_group = UserGroupModel().create(
name=form_data['users_group_name'],
description=form_data['user_group_description'],
owner=owner,
active=form_data['users_group_active'],
group_data=form_data['user_group_data'])
Session().commit()
user_group = UserGroup.get_by_group_name(user_group.users_group_name)
return user_group
def tearDown(self):
if hasattr(self, 'test_repo'):
RepoModel().delete(repo=self.test_repo)
UserModel().delete(self.u1)
UserModel().delete(self.u2)
UserModel().delete(self.u3)
UserModel().delete(self.a1)
if hasattr(self, 'g1'):
RepoGroupModel().delete(self.g1.group_id)
if hasattr(self, 'g2'):
RepoGroupModel().delete(self.g2.group_id)
if hasattr(self, 'ug1'):
UserGroupModel().delete(self.ug1, force=True)
Session().commit()
def test_inactive_user_group_does_not_affect_user_group_permissions(self):
self.ug1 = fixture.create_user_group('G1')
user_group_model = UserGroupModel()
user_group_model.add_user_to_group(self.ug1, self.u1)
user_group_model.update(self.ug1, {'users_group_active': False})
self.ug2 = fixture.create_user_group('G2')
# enable admin access for user group on user group
UserGroupModel().grant_user_group_permission(self.ug2,
user_group=self.ug1,
perm='usergroup.admin')
# enable only write access for default user on user group
UserGroupModel().grant_user_permission(self.ug2,
user='******',
perm='usergroup.write')
Session().commit()
u1_auth = AuthUser(user_id=self.u1.user_id)
assert u1_auth.permissions['user_groups']['G1'] == 'usergroup.read'
assert u1_auth.permissions['user_groups']['G2'] == 'usergroup.write'
def _authenticate(self, userobj, username, passwd, settings, **kwargs):
auth = super(KallitheaExternalAuthPlugin,
self)._authenticate(userobj, username, passwd, settings,
**kwargs)
if auth:
# maybe plugin will clean the username ?
# we should use the return value
username = auth['username']
# if user is not active from our extern type we should fail to auth
# this can prevent from creating users in Kallithea when using
# external authentication, but if it's inactive user we shouldn't
# create that user anyway
if auth['active_from_extern'] is False:
log.warning(
"User %s authenticated against %s, but is inactive" %
(username, self.__module__))
return None
if self.use_fake_password():
# Randomize the PW because we don't need it, but don't want
# them blank either
passwd = PasswordGenerator().gen_password(length=8)
log.debug('Updating or creating user info from %s plugin' %
self.name)
user = UserModel().create_or_update(
username=username,
password=passwd,
email=auth["email"],
firstname=auth["firstname"],
lastname=auth["lastname"],
active=auth["active"],
admin=auth["admin"],
extern_name=auth["extern_name"],
extern_type=self.name)
Session().flush()
# enforce user is just in given groups, all of them has to be ones
# created from plugins. We store this info in _group_data JSON field
groups = auth['groups'] or []
UserGroupModel().enforce_groups(user, groups, self.name)
Session().commit()
return auth
def test_owner_permissions_doesnot_get_overwritten_by_group(self):
#create repo as USER,
self.test_repo = fixture.create_repo(name='myownrepo',
repo_type='hg',
cur_user=self.u1)
#he has permissions of admin as owner
u1_auth = AuthUser(user_id=self.u1.user_id)
self.assertEqual(u1_auth.permissions['repositories']['myownrepo'],
'repository.admin')
#set his permission as user group, he should still be admin
self.ug1 = fixture.create_user_group('G1')
UserGroupModel().add_user_to_group(self.ug1, self.u1)
RepoModel().grant_user_group_permission(self.test_repo,
group_name=self.ug1,
perm='repository.none')
Session().commit()
u1_auth = AuthUser(user_id=self.u1.user_id)
self.assertEqual(u1_auth.permissions['repositories']['myownrepo'],
'repository.admin')
def test_create_and_remove(self):
usr = UserModel().create_or_update(username=u'test_user',
password=u'qweqwe',
email=u'*****@*****.**',
firstname=u'u1', lastname=u'u1')
Session().commit()
self.assertEqual(User.get_by_username(u'test_user'), usr)
# make user group
user_group = fixture.create_user_group('some_example_group')
Session().commit()
UserGroupModel().add_user_to_group(user_group, usr)
Session().commit()
self.assertEqual(UserGroup.get(user_group.users_group_id), user_group)
self.assertEqual(UserGroupMember.query().count(), 1)
UserModel().delete(usr.user_id)
Session().commit()
self.assertEqual(UserGroupMember.query().all(), [])
def test_propagated_permission_from_users_group_lower_weight(self):
# make group
self.ug1 = fixture.create_user_group('G1')
# add user to group
UserGroupModel().add_user_to_group(self.ug1, self.u1)
# set permission to lower
new_perm_h = 'repository.write'
RepoModel().grant_user_permission(repo=HG_REPO,
user=self.u1,
perm=new_perm_h)
Session().commit()
u1_auth = AuthUser(user_id=self.u1.user_id)
self.assertEqual(u1_auth.permissions['repositories'][HG_REPO],
new_perm_h)
# grant perm for group this should NOT override permission from user
# since it's lower than granted
new_perm_l = 'repository.read'
RepoModel().grant_user_group_permission(repo=HG_REPO,
group_name=self.ug1,
perm=new_perm_l)
# check perms
u1_auth = AuthUser(user_id=self.u1.user_id)
perms = {
'repositories_groups': {},
'global':
set([
u'hg.create.repository', u'repository.read',
u'hg.register.manual_activate'
]),
'repositories': {
u'vcs_test_hg': u'repository.write'
}
}
self.assertEqual(u1_auth.permissions['repositories'][HG_REPO],
new_perm_h)
self.assertEqual(u1_auth.permissions['repositories_groups'],
perms['repositories_groups'])
def update_perms(self, id):
"""
grant permission for given usergroup
:param id:
"""
user_group = UserGroup.get_or_404(id)
form = UserGroupPermsForm()().to_python(request.POST)
# set the permissions !
try:
UserGroupModel()._update_permissions(user_group, form['perms_new'],
form['perms_updates'])
except RepoGroupAssignmentError:
h.flash(_('Target group cannot be the same'), category='error')
return redirect(url('edit_user_group_perms', id=id))
#TODO: implement this
#action_logger(self.authuser, 'admin_changed_repo_permissions',
# repo_name, self.ip_addr, self.sa)
Session().commit()
h.flash(_('User Group permissions updated'), category='success')
return redirect(url('edit_user_group_perms', id=id))
def test_propagated_permission_from_users_group_by_explicit_perms_exist(
self):
# make group
self.ug1 = fixture.create_user_group(u'G1')
UserGroupModel().add_user_to_group(self.ug1, self.u1)
# set permission to lower
new_perm = 'repository.none'
RepoModel().grant_user_permission(repo=HG_REPO,
user=self.u1,
perm=new_perm)
Session().commit()
u1_auth = AuthUser(user_id=self.u1.user_id)
assert u1_auth.permissions['repositories'][HG_REPO] == new_perm
# grant perm for group this should not override permission from user
# since it has explicitly set
new_perm_gr = 'repository.write'
RepoModel().grant_user_group_permission(repo=HG_REPO,
group_name=self.ug1,
perm=new_perm_gr)
# check perms
u1_auth = AuthUser(user_id=self.u1.user_id)
perms = {
'repositories_groups': {},
'global':
set([
'hg.create.repository', 'repository.read',
'hg.register.manual_activate'
]),
'repositories': {
HG_REPO: 'repository.read'
}
}
assert u1_auth.permissions['repositories'][HG_REPO] == new_perm
assert u1_auth.permissions['repositories_groups'] == perms[
'repositories_groups']
def test_propagated_permission_from_users_group_by_explicit_perms_exist(
self):
# make group
self.ug1 = fixture.create_user_group('G1')
UserGroupModel().add_user_to_group(self.ug1, self.u1)
# set user permission none
RepoModel().grant_user_permission(repo=base.HG_REPO,
user=self.u1,
perm='repository.none')
Session().commit()
u1_auth = AuthUser(user_id=self.u1.user_id)
assert u1_auth.permissions['repositories'][
base.HG_REPO] == 'repository.read' # inherit from default user
# grant perm for group this should override permission from user
RepoModel().grant_user_group_permission(repo=base.HG_REPO,
group_name=self.ug1,
perm='repository.write')
# verify that user group permissions win
u1_auth = AuthUser(user_id=self.u1.user_id)
assert u1_auth.permissions['repositories'][
base.HG_REPO] == 'repository.write'
def test_propagated_permission_from_users_group_lower_weight(self):
# make group
self.ug1 = fixture.create_user_group('G1')
# add user to group
UserGroupModel().add_user_to_group(self.ug1, self.u1)
# set permission to lower
new_perm_h = 'repository.write'
RepoModel().grant_user_permission(repo=base.HG_REPO,
user=self.u1,
perm=new_perm_h)
Session().commit()
u1_auth = AuthUser(user_id=self.u1.user_id)
assert u1_auth.permissions['repositories'][base.HG_REPO] == new_perm_h
# grant perm for group this should NOT override permission from user
# since it's lower than granted
new_perm_l = 'repository.read'
RepoModel().grant_user_group_permission(repo=base.HG_REPO,
group_name=self.ug1,
perm=new_perm_l)
# check perms
u1_auth = AuthUser(user_id=self.u1.user_id)
assert u1_auth.permissions['repositories'][base.HG_REPO] == new_perm_h
def _authenticate(self, userobj, username, passwd, settings, **kwargs):
user_data = super(KallitheaExternalAuthPlugin,
self)._authenticate(userobj, username, passwd,
settings, **kwargs)
if user_data is not None:
if userobj is None: # external authentication of unknown user that will be created soon
def_user_perms = AuthUser(
dbuser=User.get_default_user()).permissions['global']
active = 'hg.extern_activate.auto' in def_user_perms
else:
active = userobj.active
if self.use_fake_password():
# Randomize the PW because we don't need it, but don't want
# them blank either
passwd = PasswordGenerator().gen_password(length=8)
log.debug('Updating or creating user info from %s plugin',
self.name)
user = UserModel().create_or_update(
username=user_data['username'],
password=passwd,
email=user_data["email"],
firstname=user_data["firstname"],
lastname=user_data["lastname"],
active=active,
admin=user_data["admin"],
extern_name=user_data["extern_name"],
extern_type=self.name,
)
# enforce user is just in given groups, all of them has to be ones
# created from plugins. We store this info in _group_data JSON field
groups = user_data['groups'] or []
UserGroupModel().enforce_groups(user, groups, self.name)
Session().commit()
return user_data
def test_inactive_user_group_does_not_affect_repo_group_permissions(self):
self.ug1 = fixture.create_user_group('G1')
user_group_model = UserGroupModel()
user_group_model.add_user_to_group(self.ug1, self.u1)
user_group_model.update(self.ug1, {'users_group_active': False})
self.g1 = fixture.create_repo_group('group1', skip_if_exists=True)
# enable admin access for user group on repo group
RepoGroupModel().grant_user_group_permission(self.g1,
group_name=self.ug1,
perm='group.admin')
# enable only write access for default user on repo group
RepoGroupModel().grant_user_permission(self.g1,
user='******',
perm='group.write')
Session().commit()
u1_auth = AuthUser(user_id=self.u1.user_id)
assert u1_auth.permissions['repositories_groups'].get(
'group1') == 'group.write'
def update_default_perms(self, id):
user_group = UserGroup.get_or_404(id)
try:
form = CustomDefaultPermissionsForm()()
form_result = form.to_python(request.POST)
inherit_perms = form_result['inherit_default_permissions']
user_group.inherit_default_permissions = inherit_perms
usergroup_model = UserGroupModel()
defs = UserGroupToPerm.query() \
.filter(UserGroupToPerm.users_group == user_group) \
.all()
for ug in defs:
Session().delete(ug)
if form_result['create_repo_perm']:
usergroup_model.grant_perm(id, 'hg.create.repository')
else:
usergroup_model.grant_perm(id, 'hg.create.none')
if form_result['create_user_group_perm']:
usergroup_model.grant_perm(id, 'hg.usergroup.create.true')
else:
usergroup_model.grant_perm(id, 'hg.usergroup.create.false')
if form_result['fork_repo_perm']:
usergroup_model.grant_perm(id, 'hg.fork.repository')
else:
usergroup_model.grant_perm(id, 'hg.fork.none')
h.flash(_("Updated permissions"), category='success')
Session().commit()
except Exception:
log.error(traceback.format_exc())
h.flash(_('An error occurred during permissions saving'),
category='error')
raise HTTPFound(location=url('edit_user_group_default_perms', id=id))
def tearDown(self):
# delete all groups
for gr in UserGroupModel.get_all():
fixture.destroy_user_group(gr)
Session().commit()
def test_inactive_user_group_does_not_affect_global_permissions_inverse(self):
# Issue #138: Inactive User Groups affecting permissions
# Add user to inactive user group, set specific permissions on user
# group and disable inherit-from-default. User permissions should still
# inherit from default.
self.ug1 = fixture.create_user_group(u'G1')
self.ug1.inherit_default_permissions = False
user_group_model = UserGroupModel()
user_group_model.add_user_to_group(self.ug1, self.u1)
user_group_model.update(self.ug1, {'users_group_active': False})
# disable fork and create on user group
user_group_model.revoke_perm(self.ug1, perm='hg.create.repository')
user_group_model.grant_perm(self.ug1, perm='hg.create.none')
user_group_model.revoke_perm(self.ug1, perm='hg.fork.repository')
user_group_model.grant_perm(self.ug1, perm='hg.fork.none')
user_model = UserModel()
# enable fork and create on default user
usr = '******'
user_model.revoke_perm(usr, 'hg.create.none')
user_model.grant_perm(usr, 'hg.create.repository')
user_model.revoke_perm(usr, 'hg.fork.none')
user_model.grant_perm(usr, 'hg.fork.repository')
Session().commit()
u1_auth = AuthUser(user_id=self.u1.user_id)
self.assertEqual(u1_auth.permissions['global'],
set(['hg.create.repository', 'hg.fork.repository',
'hg.register.manual_activate',
'hg.extern_activate.auto',
'repository.read', 'group.read',
'usergroup.read',
'hg.create.write_on_repogroup.true']))
