Пример #1
0
 def setUp(self):
     super().setUp()
     User = get_user_model()
     self.admin = User(**admin_data)
     self.admin.save()
     self.admin_group = PortalGroup(name=self.admin_group_name,
                                    can_admin=True)
     self.admin_group.save()
     self.admin_group.members.add(self.admin)
     self.admin_group.save()
Пример #2
0
    def test_subauth_view(self):
        group1 = PortalGroup()
        group1.save()
        self.admin.portal_groups.add(group1)

        app1 = WebApplication(name="app1", can_subauth=True)
        app1.save()

        response = self.client.get('/subauthreq/{}/'.format(app1.pk))

        self.assertEqual(response.status_code, 401)
Пример #3
0
 def test_forward_relation_change(self):
     """
     Test the case that a user get her groups changed, not the other way around.
     """
     admin_group = PortalGroup(name="Admins", can_admin=True)
     admin_group.save()
     self.assertEqual(admin_group.members.count(), 0)
     self.assertEqual(self.second_user.is_staff, False)
     self.second_user.portal_groups.add(admin_group)
     self.second_user.save()
     self.assertEqual(admin_group.members.count(), 1)
     self.assertEqual(self.second_user.is_staff, True)
Пример #4
0
def test_forward_relation_change(second_user):
    """
    Test the case that a user get her groups changed, not the other way around.
    """
    admin_group = PortalGroup(name="Admins", can_admin=True)
    admin_group.save()
    assert admin_group.members.count() == 0
    assert second_user.is_staff is False
    second_user.portal_groups.add(admin_group)
    second_user.save()
    assert admin_group.members.count() == 1
    assert second_user.is_staff is True
Пример #5
0
def test_admin_attrib_modification_with_members(second_user):
    future_admin_group = PortalGroup(name="Admins", can_admin=False)
    future_admin_group.save()
    future_admin_group.members.add(second_user)
    second_user.refresh_from_db()  # catch changes from signal handlers
    assert second_user.is_staff is False
    future_admin_group.can_admin = True
    future_admin_group.save()
    second_user.refresh_from_db()  # catch changes from signal handlers
    assert second_user.is_staff is True
    future_admin_group.can_admin = False
    future_admin_group.save()
    second_user.refresh_from_db()  # catch changes from signal handlers
    assert second_user.is_staff is False
Пример #6
0
class AdminLoggedOutTestCase(BaseTestCase):
    '''
    An administrator is logged out and part of an auto-admin group.
    Web applications and subauth's are not enabled.
    '''
    def setUp(self):
        super().setUp()
        User = get_user_model()
        self.admin = User(**admin_data)
        self.admin.save()
        self.admin_group = PortalGroup(name=self.admin_group_name,
                                       can_admin=True)
        self.admin_group.save()
        self.admin_group.members.add(self.admin)
        self.admin_group.save()
Пример #7
0
def test_dont_touch_superuser(second_user):
    """
    The can_admin signal handler magic should not be applied to superusers,
    otherwise they may loose the backend access when not
    be a member of an admin group.
    """
    second_user.is_superuser = True
    second_user.is_staff = True
    second_user.username = "******"
    second_user.save()
    assert second_user.is_superuser is True
    assert second_user.is_staff is True
    non_admin_group = PortalGroup(
        name="NonAdmins", can_admin=False)
    non_admin_group.save()
    second_user.portal_groups.add(non_admin_group)
    second_user.refresh_from_db()  # catch changes from signal handlers
    assert second_user.is_superuser is True
    assert second_user.is_staff is True
Пример #8
0
def test_user(api_client, admin_user_with_k8s_system):
    webapp1 = WebApplication(name="webapp1", link_show=True)
    webapp1.save()
    group1 = PortalGroup(name="group1")
    group1.save()
    group1.can_web_applications.add(webapp1)
    group1.save()
    admin_user_with_k8s_system.portal_groups.add(group1)

    user_attr_expected = [
        'firstname', 'name', 'username', 'user_id', 'primary_email',
        'all_emails', 'admin', 'serviceaccount_urls', 'k8s_token',
        'webapp_urls', 'group_urls'
    ]

    response = api_client.get(
        f'/api/{settings.API_VERSION}/users/{admin_user_with_k8s_system.pk}/')
    assert response.status_code == 200
    data = response.json()

    assert True is data['admin']

    for key in user_attr_expected:
        assert key in data

    assert len(data["group_urls"]) > 0  # all users group, at least
    assert len(data["serviceaccount_urls"]) > 0
    assert data['all_emails'] == ['*****@*****.**']
    assert data['serviceaccount_urls'][0].startswith("http://testserver")
    assert data['group_urls'][0].startswith("http://testserver")
Пример #9
0
def test_user_merge_access_approved(admin_index_request, django_user_model):
    run_minikube_sync()
    primary = django_user_model(
        username="******",
        email="*****@*****.**")
    primary.save()

    ns = KubernetesNamespace(name="default")
    ns.save()
    new_svc = KubernetesServiceAccount(name="foobar", namespace=ns)
    new_svc.save()
    secondary = django_user_model(
        username="******",
        state=User.ACCESS_APPROVED,
        email="*****@*****.**",
        comments="secondary user comment",
        service_account=new_svc)
    secondary.save()

    group1 = PortalGroup(name="testgroup1")
    group1.save()
    group2 = PortalGroup(name="testgroup2")
    group2.save()

    secondary.portal_groups.add(group1)
    secondary.portal_groups.add(group2)
    secondary.save()

    # Build full-fledged request object for logged-in admin
    # approve secondary for cluster access
    secondary.approve(admin_index_request, new_svc)

    # the merge method only accepts a queryset of users since that's what
    # the admin interface creates
    queryset_of_users = django_user_model.objects.filter(
        pk__in=[primary.id, secondary.id])

    # merge both users. shouldn't return anything
    assert(not merge_users(UserAdmin, admin_index_request, queryset_of_users))

    # the primary user has been altered but the old object is still in memory
    # we need to query for the updated user again
    primary = django_user_model.objects.get(pk=primary.id)

    # Does primary have all the values of secondary user?
    assert primary.comments == "secondary user comment"
    assert primary.portal_groups.filter(name=group1.name)
    assert primary.portal_groups.filter(name=group2.name)
    assert primary.has_access_approved
Пример #10
0
def test_subauth_caching(admin_user_with_k8s, admin_client, mocker):

    spy = mocker.spy(SubAuthRequestView, 'get')

    # Create new user group, add admin
    group1 = PortalGroup()
    group1.save()
    admin_user_with_k8s.portal_groups.add(group1)

    # Create new web application
    app1 = WebApplication(name="app1", can_subauth=True)
    app1.save()
    webapp = app1.pk

    # allow web application for group
    group1.can_web_applications.add(app1)

    # Second call should be answered from cache
    response = admin_client.get('/subauthreq/{}/'.format(webapp))
    assert response.status_code == 200
    response = admin_client.get('/subauthreq/{}/'.format(webapp))
    assert response.status_code == 200
    spy.assert_called_once()
Пример #11
0
 def _create_group(self, name, member=None, app=None):
     group = PortalGroup(name=name)
     group.save()
     if member:
         group.members.add(member)
     if app:
         group.can_web_applications.add(app)
     group.save()
     return group
Пример #12
0
def create_group(member=None, app=None):
    group = PortalGroup(name="Test Group")
    group.save()
    if member:
        group.members.add(member)
    if app:
        group.can_web_applications.add(app)
    group.save()
    return group
Пример #13
0
def test_webapp_user_in_group(admin_client, admin_user):
    app1 = WebApplication(name="app1",
                          link_show=True,
                          link_name="app1",
                          link_url="http://www.heise.de")
    app1.save()
    group = PortalGroup()
    group.save()
    admin_user.portal_groups.add(group)
    response = admin_client.get('/welcome/')
    # User is in group, but this group has the web app not enabled
    assert not contains(response, "http://www.heise.de")

    group.can_web_applications.add(app1)
    response = admin_client.get('/welcome/')
    # User is now in a group that has this web app enabled
    assert contains(response, "http://www.heise.de")
    assert 1 == str(response.content).count("http://www.heise.de")

    app1.link_show = False
    app1.save()
    response = admin_client.get('/welcome/')
    # User is now in a group that has this web app, but disabled
    assert not contains(response, "http://www.heise.de")
Пример #14
0
 def test_webapp_user_in_multiple_groups(self):
     app1 = WebApplication(name="app1",
                           link_show=True,
                           link_name="app1",
                           link_url="http://www.heise.de")
     app1.save()
     group1 = PortalGroup()
     group1.save()
     group1.can_web_applications.add(app1)
     group2 = PortalGroup()
     group2.save()
     group2.can_web_applications.add(app1)
     self.admin.portal_groups.add(group1)
     self.admin.portal_groups.add(group2)
     response = self.client.get('/welcome/')
     self.assertContains(response, "http://www.heise.de")
     self.assertEqual(1, str(response.content).count("http://www.heise.de"))
Пример #15
0
def test_admin_attrib_add_remove_user(second_user):
    # Create admin group
    admin_group = PortalGroup(name="Admins", can_admin=True)
    admin_group.save()
    # Non-member should not become admin
    second_user.refresh_from_db()  # catch changes from signal handlers
    assert second_user.is_staff is False
    # make member, should become admin
    admin_group.members.add(second_user)
    admin_group.save()
    second_user.refresh_from_db()  # catch changes from signal handlers
    assert second_user.is_staff is True
    # remove again from group, shopuld lose admin status
    admin_group.members.remove(second_user)
    admin_group.save()
    second_user.refresh_from_db()  # catch changes from signal handlers
    assert second_user.is_staff is False
Пример #16
0
def test_webapp_user_in_multiple_groups(admin_client, admin_user):
    app1 = WebApplication(name="app1",
                          link_show=True,
                          link_name="app1",
                          link_url="http://www.heise.de")
    app1.save()
    group1 = PortalGroup()
    group1.save()
    group1.can_web_applications.add(app1)
    group2 = PortalGroup()
    group2.save()
    group2.can_web_applications.add(app1)
    admin_user.portal_groups.add(group1)
    admin_user.portal_groups.add(group2)
    response = admin_client.get('/welcome/')
    assert contains(response, "http://www.heise.de")
    assert 1 == str(response.content).count("http://www.heise.de")
Пример #17
0
    def test_user_groups(self):
        group1 = PortalGroup(name="group1")
        group1.save()
        group2 = PortalGroup(name="group2")
        group2.save()

        self.admin.portal_groups.add(group1)
        self.admin.portal_groups.add(group2)

        response = self.get(
            f'/api/{API_VERSION}/users/{self.admin.pk}/groups/')
        self.assertEqual(response.status_code, 200)
        data = response.json()
        for entry in data:
            self.assertIn('name', entry.keys())
        # Auto group "all users", Test case group "Admins", plus 2 extra
        self.assertEqual(4, len(data))
Пример #18
0
def test_permission_adjustment(second_user):
    assert second_user.user_permissions.all().count() == 0
    # Create admin group
    admin_group = PortalGroup(name="Admins", can_admin=True)
    admin_group.save()
    # make member, should get all model permissions
    admin_group.members.add(second_user)
    admin_group.save()
    second_user.refresh_from_db()  # catch changes from signal handlers
    perm_count = Permission.objects.count()
    assert second_user.user_permissions.all().count() == perm_count
Пример #19
0
    def _prepare_subauth_test(self, user_in_group1, user_in_group2, app_in_group1, app_in_group2, app_enabled):
        group1 = PortalGroup()
        group1.save()
        if user_in_group1:
            self.admin.portal_groups.add(group1)

        group2 = PortalGroup()
        group2.save()
        if user_in_group2:
            self.admin.portal_groups.add(group2)

        app1 = WebApplication(name="app1", can_subauth=app_enabled)
        app1.save()

        if app_in_group1:
            group1.can_web_applications.add(app1)

        if app_in_group2:
            group2.can_web_applications.add(app1)

        return self.client.get('/subauthreq/{}/'.format(app1.pk))
Пример #20
0
 def handle(self, *args, **option):
     try:
         Token.objects.count()
     except:
         print(
             "This is a fresh installation, not database exists. Skipping integrity check."
         )
         exit(0)
     print("Checking for lost users in OIDC provider tokens ...")
     for token in Token.objects.all():
         try:
             u = token.user
         except ObjectDoesNotExist:
             print(
                 f"Missing referenced user for OIDC provider token {token}. Deleting the token object."
             )
             token.delete()
     print("Checking for lost users in OIDC provider codes ...")
     for code in Code.objects.all():
         try:
             u = code.user
         except ObjectDoesNotExist:
             print(
                 f"Missing referenced user for OIDC provider code {code}. Deleting the code object."
             )
             code.delete()
     print("Checking for lost users in OpenID consents ...")
     for consent in UserConsent.objects.all():
         try:
             u = consent.user
         except ObjectDoesNotExist:
             print(
                 f"Missing referenced user for OpenID consent {consent}. Deleting the consent object."
             )
             consent.delete()
     print("Checking for lost users in portal groups ...")
     for group in PortalGroup.objects.all():
         for entry in group.members.through.objects.all():
             try:
                 u = entry.user
             except ObjectDoesNotExist:
                 print(
                     f"Missing referenced user for group / user relation {entry}. Deleting the relation object."
                 )
                 entry.delete()
     print("Deleting obsolete social auth tables ...")
     with connection.cursor() as cursor:
         for table in [
                 "social_auth_usersocialauth", "social_auth_partial",
                 "social_auth_nonce", "social_auth_code",
                 "social_auth_association"
         ]:
             try:
                 cursor.execute(f"drop table {table};")
             except:
                 pass  # table already gone
     print(
         "Checking for lost namespaces in Kubernetes service accounts ...")
     # The manager crashes on the normal "objects.all()" access, so we use the ID-based reference check here
     for entry in KubernetesServiceAccount.objects.values():
         try:
             ns = KubernetesNamespace.objects.get(pk=entry['namespace_id'])
         except:
             print(
                 f"Missing referenced namespace for service account {entry}. Deleting the service account object."
             )
             broken_svca = KubernetesServiceAccount.objects.get(
                 pk=entry['id'])
             broken_svca.delete()
     print("Check for default portal groups ...")
     has_admin_group = PortalGroup.objects.filter(can_admin=True).exists()
     if not has_admin_group:
         print("Creating missing default group 'Admin users")
         admin_group = PortalGroup(name="Admin users", can_admin=True)
         admin_group.save()
Пример #21
0
 def test_group_non_member(self):
     group1 = PortalGroup(name="group1")
     group1.save()
     response = self.get(f'/api/{API_VERSION}/groups/{group1.pk}/')
     self.assertEqual(response.status_code, 403)
Пример #22
0
def test_group_non_member(api_client):
    group1 = PortalGroup(name="group1")
    group1.save()
    response = api_client.get(
        f'/api/{settings.API_VERSION}/groups/{group1.pk}/')
    assert response.status_code == 404
Пример #23
0
def test_approval_groups(admin_client, admin_user, client, second_user,
                         mailoutbox, random_namespace_name):
    client.force_login(second_user)
    assert second_user.state == second_user.NEW
    response = client.post('/access/request/',
                           {'selected-administrator': admin_user.username})
    assertRedirects(response, '/config/')
    second_user.refresh_from_db()
    approval_url = f"/admin/kubeportal/user/{second_user.approval_id}/approve/"
    # We only check for non-special groups (all / K8s users) here, they are tested elsewhere
    group1 = PortalGroup(name="Group the user does not have, and gets")
    group1.save()
    group2 = PortalGroup(name="Group the user already has, and keeps")
    group2.save()
    second_user.portal_groups.add(group2)
    group3 = PortalGroup(
        name="Group the user does not have, and still don't get")
    group3.save()
    group4 = PortalGroup(name="Group the user already has, and looses")
    group4.save()
    second_user.portal_groups.add(group4)
    # Perform approval with new namespace as admin
    assert second_user.state == second_user.ACCESS_REQUESTED
    response = admin_client.post(
        approval_url, {
            'choice': 'approve_create',
            'approve_create_name': random_namespace_name,
            'comments': '',
            'portal_groups': [group1.pk, group2.pk]
        })
    assertRedirects(response, '/admin/kubeportal/user/')
    second_user.refresh_from_db()
    assert second_user.k8s_namespaces()[0].name == random_namespace_name
    assert second_user.state == second_user.ACCESS_APPROVED
    assert group1 in list(second_user.portal_groups.all())
    assert group2 in list(second_user.portal_groups.all())
    assert group3 not in list(second_user.portal_groups.all())
    assert group4 not in list(second_user.portal_groups.all())
    assert second_user.answered_by != None
Пример #24
0
 def test_model_methods(self):
     admin_group = PortalGroup(name="Admins", can_admin=True)
     admin_group.save()
     admin_group.members.add(self.second_user)
     self.assertEqual(admin_group.has_member(self.second_user), True)
Пример #25
0
def test_groups_denied(api_client_anon):
    group1 = PortalGroup(name="group1")
    group1.save()
    response = api_client_anon.get(
        f'/api/{settings.API_VERSION}/groups/{group1.pk}/')
    assert response.status_code == 401
Пример #26
0
def test_admin_attrib_multiple(second_user):
    # create two admin groups
    admin_group1 = PortalGroup(name="Admins1", can_admin=True)
    admin_group1.save()
    admin_group2 = PortalGroup(name="Admins2", can_admin=True)
    admin_group2.save()
    # add same person to both groups
    admin_group1.members.add(second_user)
    admin_group2.members.add(second_user)
    admin_group1.save()
    admin_group2.save()
    # person should be admin now
    second_user.refresh_from_db()  # catch changes from signal handlers
    assert second_user.is_staff is True
    # remove from first group, should still be admin
    admin_group1.members.remove(second_user)
    admin_group1.save()
    second_user.refresh_from_db()  # catch changes from signal handlers
    assert second_user.is_staff is True
    # remove from second group, should lose admin status
    admin_group2.members.remove(second_user)
    second_user.refresh_from_db()  # catch changes from signal handlers
    assert second_user.is_staff is False
Пример #27
0
def test_model_methods(second_user):
    admin_group = PortalGroup(name="Admins", can_admin=True)
    admin_group.save()
    admin_group.members.add(second_user)
    assert admin_group.has_member(second_user) is True