0001-a2_rbac-rename-role-s-admin-role-on-role-s-rename-34.patch
| src/authentic2/a2_rbac/managers.py | ||
|---|---|---|
| 30 | 30 |
class RoleManager(BaseRoleManager): |
| 31 | 31 |
def get_admin_role(self, instance, name, slug, ou=None, operation=ADMIN_OP, |
| 32 | 32 |
update_name=False, update_slug=False, permissions=(), |
| 33 |
self_administered=False): |
|
| 33 |
self_administered=False, create=True):
|
|
| 34 | 34 |
'''Get or create the role of manager's of this object instance''' |
| 35 | 35 |
kwargs = {}
|
| 36 | 36 |
if ou or getattr(instance, 'ou', None): |
| ... | ... | |
| 40 | 40 |
# find an operation matching the template |
| 41 | 41 |
op = get_operation(operation) |
| 42 | 42 |
Permission = rbac_utils.get_permission_model() |
| 43 |
perm, created = Permission.objects.get_or_create( |
|
| 44 |
operation=op, |
|
| 45 |
target_ct=ContentType.objects.get_for_model(instance), |
|
| 46 |
target_id=instance.pk, |
|
| 47 |
**kwargs) |
|
| 43 |
if create: |
|
| 44 |
perm, created = Permission.objects.get_or_create( |
|
| 45 |
operation=op, |
|
| 46 |
target_ct=ContentType.objects.get_for_model(instance), |
|
| 47 |
target_id=instance.pk, |
|
| 48 |
**kwargs) |
|
| 49 |
else: |
|
| 50 |
try: |
|
| 51 |
perm = Permission.objects.get( |
|
| 52 |
operation=op, |
|
| 53 |
target_ct=ContentType.objects.get_for_model(instance), |
|
| 54 |
target_id=instance.pk, |
|
| 55 |
**kwargs) |
|
| 56 |
except Permission.DoesNotExist: |
|
| 57 |
return None |
|
| 58 |
created = False |
|
| 59 | ||
| 48 | 60 |
admin_role = self.get_mirror_role(perm, name, slug, ou=ou, |
| 49 | 61 |
update_name=update_name, |
| 50 |
update_slug=update_slug) |
|
| 62 |
update_slug=update_slug, |
|
| 63 |
create=create) |
|
| 64 | ||
| 65 |
if not admin_role: |
|
| 66 |
return None |
|
| 67 | ||
| 51 | 68 |
permissions = set(permissions) |
| 52 | 69 |
permissions.add(perm) |
| 53 | 70 |
if self_administered: |
| ... | ... | |
| 60 | 77 |
return admin_role |
| 61 | 78 | |
| 62 | 79 |
def get_mirror_role(self, instance, name, slug, ou=None, |
| 63 |
update_name=False, update_slug=False): |
|
| 80 |
update_name=False, update_slug=False, create=True):
|
|
| 64 | 81 |
'''Get or create a role which mirror another model, for example a |
| 65 | 82 |
permission. |
| 66 | 83 |
''' |
| ... | ... | |
| 70 | 87 |
kwargs['ou'] = ou or instance.ou |
| 71 | 88 |
else: |
| 72 | 89 |
kwargs['ou__isnull'] = True |
| 73 |
role, created = self.prefetch_related('permissions').get_or_create(
|
|
| 74 |
admin_scope_ct=ct, |
|
| 75 |
admin_scope_id=instance.pk, |
|
| 76 |
defaults={
|
|
| 77 |
'name': name, |
|
| 78 |
'slug': slug, |
|
| 79 |
}, |
|
| 80 |
**kwargs) |
|
| 90 |
if create: |
|
| 91 |
role, created = self.prefetch_related('permissions').get_or_create(
|
|
| 92 |
admin_scope_ct=ct, |
|
| 93 |
admin_scope_id=instance.pk, |
|
| 94 |
defaults={
|
|
| 95 |
'name': name, |
|
| 96 |
'slug': slug, |
|
| 97 |
}, |
|
| 98 |
**kwargs) |
|
| 99 |
else: |
|
| 100 |
try: |
|
| 101 |
role = self.prefetch_related('permissions').get(
|
|
| 102 |
admin_scope_ct=ct, |
|
| 103 |
admin_scope_id=instance.pk, |
|
| 104 |
**kwargs) |
|
| 105 |
except self.model.DoesNotExist: |
|
| 106 |
return None |
|
| 107 |
created = False |
|
| 108 | ||
| 81 | 109 |
if update_name and not created and role.name != name: |
| 82 | 110 |
role.name = name |
| 83 | 111 |
role.save() |
| src/authentic2/a2_rbac/models.py | ||
|---|---|---|
| 203 | 203 |
content_type_field='target_ct', |
| 204 | 204 |
object_id_field='target_id') |
| 205 | 205 | |
| 206 |
def get_admin_role(self, ou=None): |
|
| 206 |
def get_admin_role(self, ou=None, create=True):
|
|
| 207 | 207 |
from . import utils |
| 208 | 208 |
admin_role = self.__class__.objects.get_admin_role( |
| 209 | 209 |
self, ou=self.ou, |
| ... | ... | |
| 212 | 212 |
slug='_a2-managers-of-role-{role}'.format(
|
| 213 | 213 |
role=slugify(six.text_type(self))), |
| 214 | 214 |
permissions=(utils.get_view_user_perm(),), |
| 215 |
self_administered=True) |
|
| 215 |
self_administered=True, |
|
| 216 |
update_name=True, |
|
| 217 |
update_slug=True, |
|
| 218 |
create=create) |
|
| 216 | 219 |
return admin_role |
| 217 | 220 | |
| 218 | 221 |
def validate_unique(self, exclude=None): |
| ... | ... | |
| 237 | 240 |
# Service roles can only be part of the same ou as the service |
| 238 | 241 |
if self.service: |
| 239 | 242 |
self.ou = self.service.ou |
| 240 |
return super(Role, self).save(*args, **kwargs) |
|
| 243 |
result = super(Role, self).save(*args, **kwargs) |
|
| 244 |
self.get_admin_role(create=False) |
|
| 245 |
return result |
|
| 241 | 246 | |
| 242 | 247 |
def has_self_administration(self, op=CHANGE_OP): |
| 243 | 248 |
Permission = rbac_utils.get_permission_model() |
| tests/test_a2_rbac.py | ||
|---|---|---|
| 69 | 69 |
ou = OU.objects.create(name='ou', slug='ou') |
| 70 | 70 |
role = Role.objects.create(name='some role', ou=ou) |
| 71 | 71 |
role_dict = role.export_json() |
| 72 |
assert role_dict['ou'] == {'uuid': ou.uuid, 'slug': ou.slug, 'name': ou.name}
|
|
| 72 |
assert role_dict['ou'] == {'uuid': ou.uuid, 'slug': ou.slug, 'name': ou.name}
|
|
| 73 | 73 | |
| 74 | 74 | |
| 75 | 75 |
def test_role_with_service_export_json(db): |
| 76 | 76 |
service = Service.objects.create(name='service name', slug='service-name') |
| 77 | 77 |
role = Role.objects.create(name='some role', service=service) |
| 78 | 78 |
role_dict = role.export_json() |
| 79 |
assert role_dict['service'] == {'slug': service.slug, 'ou': None}
|
|
| 79 |
assert role_dict['service'] == {'slug': service.slug, 'ou': None}
|
|
| 80 | 80 | |
| 81 | 81 | |
| 82 | 82 |
def test_role_with_service_with_ou_export_json(db): |
| ... | ... | |
| 85 | 85 |
role = Role.objects.create(name='some role', service=service) |
| 86 | 86 |
role_dict = role.export_json() |
| 87 | 87 |
assert role_dict['service'] == {
|
| 88 |
'slug': service.slug, 'ou': {'uuid': ou.uuid, 'slug': 'ou', 'name': 'ou'}}
|
|
| 88 |
'slug': service.slug, 'ou': {'uuid': ou.uuid, 'slug': 'ou', 'name': 'ou'}}
|
|
| 89 | 89 | |
| 90 | 90 | |
| 91 | 91 |
def test_role_with_attributes_export_json(db): |
| ... | ... | |
| 218 | 218 |
assert Role.objects.filter(name__contains='r1', admin_scope_ct_id__isnull=False).count() == 0 |
| 219 | 219 | |
| 220 | 220 | |
| 221 |
def test_admin_cleanup_bulk_delete(db): |
|
| 222 |
r1 = Role.objects.create(name='r1') |
|
| 223 | ||
| 224 |
assert Role.objects.filter(name__contains='r1', admin_scope_ct_id__isnull=False).count() == 0 |
|
| 225 | ||
| 226 |
r1.get_admin_role() |
|
| 227 | ||
| 228 |
assert Role.objects.filter(name__contains='r1', admin_scope_ct_id__isnull=False).count() == 1 |
|
| 229 | ||
| 230 |
Role.objects.filter(name='r1').delete() |
|
| 231 | ||
| 232 |
assert Role.objects.filter(name__contains='r1', admin_scope_ct_id__isnull=False).count() == 0 |
|
| 233 | ||
| 234 | ||
| 221 | 235 |
def test_admin_cleanup_failure(db): |
| 222 | 236 |
Role.objects.create( |
| 223 | 237 |
name='manager of r1', |
| ... | ... | |
| 242 | 256 |
call_command('cleanupauthentic')
|
| 243 | 257 | |
| 244 | 258 |
assert Role.objects.filter(name__contains='r1', admin_scope_ct_id__isnull=False).count() == 0 |
| 259 | ||
| 260 | ||
| 261 |
def test_role_rename(db): |
|
| 262 |
r1 = Role.objects.create(name='r1') |
|
| 263 |
assert r1.slug == 'r1' |
|
| 264 | ||
| 265 |
assert Role.objects.filter(name__contains='r1', admin_scope_ct_id__isnull=False).count() == 0 |
|
| 266 | ||
| 267 |
assert not r1.get_admin_role(create=False) |
|
| 268 | ||
| 269 |
assert Role.objects.filter(name__contains='r1', admin_scope_ct_id__isnull=False).count() == 0 |
|
| 270 | ||
| 271 |
ar1 = r1.get_admin_role() |
|
| 272 | ||
| 273 |
assert ar1 |
|
| 274 |
assert ar1.name == 'Managers of role "r1"' |
|
| 275 |
assert ar1.slug == '_a2-managers-of-role-r1' |
|
| 276 |
assert Role.objects.filter(name__contains='r1', admin_scope_ct_id__isnull=False).count() == 1 |
|
| 277 | ||
| 278 |
assert ar1.name == 'Managers of role "r1"' |
|
| 279 | ||
| 280 |
Role.objects.filter(pk=r1.pk).update(name='r1bis') |
|
| 281 | ||
| 282 |
r1.refresh_from_db() |
|
| 283 |
ar1.refresh_from_db() |
|
| 284 | ||
| 285 |
assert r1.name == 'r1bis' |
|
| 286 |
assert ar1.name == 'Managers of role "r1"' |
|
| 287 | ||
| 288 |
ar1 = r1.get_admin_role(create=False) |
|
| 289 | ||
| 290 |
assert ar1.name == 'Managers of role "r1bis"' |
|
| 291 |
assert ar1.slug == '_a2-managers-of-role-r1bis' |
|
| 292 | ||
| 293 |
r1.name = 'r1ter' |
|
| 294 |
r1.save() |
|
| 295 |
ar1.refresh_from_db() |
|
| 296 | ||
| 297 |
assert ar1.name == 'Managers of role "r1ter"' |
|
| 298 |
assert ar1.slug == '_a2-managers-of-role-r1ter' |
|
| 245 |
- |
|