def user_token(self):
user = User(username="******").save()
user_token = UserToken(
expires_at=datetime.utcnow() + timedelta(minutes=10),
user=user,
uuid=uuid4(),
).save()
yield user_token
user_token.delete()
user.delete()
def user_with_permission(event_forward_role):
role_assignment = RoleAssignment(
role=event_forward_role,
domain={
"scope": "Global",
},
)
user = User(username="******", role_assignments=[role_assignment]).save()
yield user
user.delete()
def user_admin(user_admin_role):
role_assignment = RoleAssignment(role=user_admin_role,
domain={"scope": "Global"})
user = User(username="******")
user.set_password("password")
user.role_assignments = [role_assignment]
user.save()
yield user
user.delete()
def user_with_role_assignments():
role = Role(name="assignedrole1", permissions=["garden:read"]).save()
role_assignment = RoleAssignment(domain={
"scope": "Garden",
"identifiers": {
"name": "garden1"
}
},
role=role)
user = User(username="******", role_assignments=[role_assignment]).save()
yield user
user.delete()
role.delete()
def user(user_password):
user = User(username="******")
user.set_password(user_password)
user.save()
yield user
user.delete()
def data_cleanup():
"""Cleanup all data between test modules to ensure each one is independent"""
yield
Event.drop_collection()
File.drop_collection()
Garden.drop_collection()
Job.drop_collection()
RawFile.drop_collection()
Request.drop_collection()
RemoteUser.drop_collection()
Role.drop_collection()
System.drop_collection()
User.drop_collection()
UserToken.drop_collection()
def user_with_permission(garden_permitted, queue_manager_role):
role_assignment = RoleAssignment(
role=queue_manager_role,
domain={
"scope": "Garden",
"identifiers": {
"name": garden_permitted.name,
},
},
)
user = User(username="******", role_assignments=[role_assignment]).save()
yield user
user.delete()
def user_with_permission(garden, garden_admin_role):
role_assignment = RoleAssignment(
role=garden_admin_role,
domain={
"scope": "Garden",
"identifiers": {
"name": garden.name
},
},
)
user = User(username="******", role_assignments=[role_assignment]).save()
yield user
user.delete()
def _anonymous_superuser(self) -> "User":
"""Return a User object with all permissions for all gardens"""
anonymous_superuser = User(username="******")
# Manually set the permissions cache (to all permissions for all gardens) since
# the anonymous user has no actual role assignments from which the permissions
# could be calculated
permissions = {"global_permissions": [], "domain_permissions": {}}
for permission in Permissions:
permissions["global_permissions"].append(permission.value)
anonymous_superuser.set_permissions_cache(permissions)
return anonymous_superuser
def user_with_role_assignments(
role_assignment_for_garden_scope,
role_assignment_for_system_scope,
role_assignment_for_global_scope,
):
user = User(
username="******",
role_assignments=[
role_assignment_for_garden_scope,
role_assignment_for_system_scope,
role_assignment_for_global_scope,
],
).save()
yield user
user.delete()
def user(request_permitted, operator_role):
role_assignment = RoleAssignment(
role=operator_role,
domain={
"scope": "System",
"identifiers": {
"name": request_permitted.system,
"namespace": request_permitted.namespace,
},
},
)
user = User(username="******", role_assignments=[role_assignment]).save()
yield user
user.delete()
def user(system_permitted, system_read_role):
role_assignment = RoleAssignment(
role=system_read_role,
domain={
"scope": "System",
"identifiers": {
"name": system_permitted.name,
"namespace": system_permitted.namespace,
},
},
)
user = User(username="******", role_assignments=[role_assignment]).save()
yield user
user.delete()
def test_initiate_user_sync_routes_to_each_running_garden(
self, monkeypatch, gardens):
monkeypatch.setattr(beer_garden.router, "route", Mock())
User(username="******").save()
initiate_user_sync()
assert beer_garden.router.route.call_count == len(
Garden.objects.filter(status="RUNNING"))
def get_user(self, request: HTTPServerRequest) -> Optional[User]:
"""Gets the User based on certificates supplied with in the request body
Args:
request: tornado HTTPServerRequest object
Returns:
User: The User object for the user specified by the certificates
None: If no User was found
"""
authenticated_user: Optional[User] = None
if request.headers and self.group_mapping:
username = request.headers.get(self.username_header)
groups = self._groups_from_headers(request.headers)
if username and groups:
try:
authenticated_user = User.objects.get(username=username)
except User.DoesNotExist:
if self.create_users:
authenticated_user = User(username=username)
# TODO: Really we should just have an option on User to disable
# password logins. For now, just set a random-ish value.
authenticated_user.set_password(str(uuid4()))
if authenticated_user:
authenticated_user.role_assignments = (
self._role_assignments_from_groups(groups))
authenticated_user.save()
return authenticated_user
def user_to_sync(self):
role = Role(name="role1").save()
role_assignment = RoleAssignment(role=role, domain={"scope": "Global"})
user = User(username="******",
password="******",
role_assignments=[role_assignment])
yield user
role.delete()
def read_only_user(garden_permitted, garden_read_role):
role_assignment = RoleAssignment(
role=garden_read_role,
domain={
"scope": "Garden",
"identifiers": {
"name": garden_permitted.name,
},
},
)
user = User(username="******", role_assignments=[role_assignment]).save()
yield user
user.delete()
def test_user_has_permission_for_object_request_through_user(
self,
test_request,
):
"""user_has_permission_for_object returns true for a System in which the
user has Garden level access for the required permission
"""
# Set the requester of the request to be our "owner" test user
owner = User(username="******")
test_request.requester = owner.username
test_request.save()
assert user_has_permission_for_object(
owner, OBJECT_OWNER_PERMISSIONS[0], test_request
)
assert not user_has_permission_for_object(owner, "noaccess", test_request)
def ensure_users():
"""Create the default admin user if necessary"""
if User.objects.count() == 0:
username = config.get("auth.default_admin.username")
password = config.get("auth.default_admin.password")
superuser_role = Role.objects.get(name="superuser")
logger.info("Creating default admin user with username: %s", username)
admin = User(username=username)
admin.set_password(password)
admin.role_assignments = [
RoleAssignment(role=superuser_role, domain={"scope": "Global"})
]
admin.save()
def test_update_user(self):
user = User(username="******", password="******")
user.save()
prev_password = user.password
updated_user = update_user(user,
username="******",
password="******")
assert type(updated_user) is User
assert User.objects.filter(username="******").count() == 0
assert User.objects.filter(username="******").count() == 1
assert updated_user.username == "differentuser"
# Check for differences rather than actual values to avoid making these
# assertions dependent on our specific hashing algorithm. We check that:
# 1) The password changed
# 2) It is not the plaintext password we provided
assert updated_user.password != prev_password
assert updated_user.password != "badpassword"
def user(garden_permitted, garden_admin_role, garden_create_role):
role_assignments = [
RoleAssignment(
role=garden_admin_role,
domain={
"scope": "Garden",
"identifiers": {
"name": garden_permitted.name,
},
},
),
RoleAssignment(
role=garden_create_role,
domain={
"scope": "Global",
},
),
]
user = User(username="******", role_assignments=role_assignments).save()
yield user
user.delete()
def existing_user(self):
user = User(username="******").save()
yield user
user.delete()
def drop():
Garden.drop_collection()
Role.drop_collection()
System.drop_collection()
User.drop_collection()
def test_user_synced_with_garden_returns_true_for_no_relevant_assignments(
self):
user = User(username="******")
garden = Garden(name="garden")
assert user_synced_with_garden(user, garden) is True
def drop_users(self):
yield
User.drop_collection()
def user(self, role_assignment):
user = User(username="******",
role_assignments=[role_assignment]).save()
yield user
user.delete()
def user_without_permission(event_forward_role):
user = User(username="******").save()
yield user
user.delete()
def user_without_permission():
user = User(username="******").save()
yield user
user.delete()
