0003-a2_rbac-rename-role-s-admin-role-on-role-s-rename-34.patch
src/authentic2/a2_rbac/managers.py | ||
---|---|---|
30 | 30 |
class RoleManager(BaseRoleManager): |
31 | 31 |
def get_admin_role(self, instance, name, slug, ou=None, operation=ADMIN_OP, |
32 | 32 |
update_name=False, update_slug=False, permissions=(), |
33 |
self_administered=False): |
|
33 |
self_administered=False, create=True):
|
|
34 | 34 |
'''Get or create the role of manager's of this object instance''' |
35 | 35 |
kwargs = {} |
36 | 36 |
if ou or getattr(instance, 'ou', None): |
... | ... | |
40 | 40 |
# find an operation matching the template |
41 | 41 |
op = get_operation(operation) |
42 | 42 |
Permission = rbac_utils.get_permission_model() |
43 |
perm, created = Permission.objects.get_or_create( |
|
44 |
operation=op, |
|
45 |
target_ct=ContentType.objects.get_for_model(instance), |
|
46 |
target_id=instance.pk, |
|
47 |
**kwargs) |
|
43 |
if create: |
|
44 |
perm, created = Permission.objects.get_or_create( |
|
45 |
operation=op, |
|
46 |
target_ct=ContentType.objects.get_for_model(instance), |
|
47 |
target_id=instance.pk, |
|
48 |
**kwargs) |
|
49 |
else: |
|
50 |
try: |
|
51 |
perm = Permission.objects.get( |
|
52 |
operation=op, |
|
53 |
target_ct=ContentType.objects.get_for_model(instance), |
|
54 |
target_id=instance.pk, |
|
55 |
**kwargs) |
|
56 |
except Permission.DoesNotExist: |
|
57 |
return None |
|
58 |
created = False |
|
59 | ||
48 | 60 |
admin_role = self.get_mirror_role(perm, name, slug, ou=ou, |
49 | 61 |
update_name=update_name, |
50 |
update_slug=update_slug) |
|
62 |
update_slug=update_slug, |
|
63 |
create=create) |
|
64 | ||
65 |
if not admin_role: |
|
66 |
return None |
|
67 | ||
51 | 68 |
permissions = set(permissions) |
52 | 69 |
permissions.add(perm) |
53 | 70 |
if self_administered: |
... | ... | |
60 | 77 |
return admin_role |
61 | 78 | |
62 | 79 |
def get_mirror_role(self, instance, name, slug, ou=None, |
63 |
update_name=False, update_slug=False): |
|
80 |
update_name=False, update_slug=False, create=True):
|
|
64 | 81 |
'''Get or create a role which mirror another model, for example a |
65 | 82 |
permission. |
66 | 83 |
''' |
... | ... | |
70 | 87 |
kwargs['ou'] = ou or instance.ou |
71 | 88 |
else: |
72 | 89 |
kwargs['ou__isnull'] = True |
73 |
role, created = self.prefetch_related('permissions').get_or_create( |
|
74 |
admin_scope_ct=ct, |
|
75 |
admin_scope_id=instance.pk, |
|
76 |
defaults={ |
|
77 |
'name': name, |
|
78 |
'slug': slug, |
|
79 |
}, |
|
80 |
**kwargs) |
|
90 |
if create: |
|
91 |
role, created = self.prefetch_related('permissions').get_or_create( |
|
92 |
admin_scope_ct=ct, |
|
93 |
admin_scope_id=instance.pk, |
|
94 |
defaults={ |
|
95 |
'name': name, |
|
96 |
'slug': slug, |
|
97 |
}, |
|
98 |
**kwargs) |
|
99 |
else: |
|
100 |
try: |
|
101 |
role = self.prefetch_related('permissions').get( |
|
102 |
admin_scope_ct=ct, |
|
103 |
admin_scope_id=instance.pk, |
|
104 |
**kwargs) |
|
105 |
except self.model.DoesNotExist: |
|
106 |
return None |
|
107 |
created = False |
|
108 | ||
81 | 109 |
if update_name and not created and role.name != name: |
82 | 110 |
role.name = name |
83 | 111 |
role.save() |
src/authentic2/a2_rbac/models.py | ||
---|---|---|
203 | 203 |
content_type_field='target_ct', |
204 | 204 |
object_id_field='target_id') |
205 | 205 | |
206 |
def get_admin_role(self, ou=None): |
|
206 |
def get_admin_role(self, ou=None, create=True):
|
|
207 | 207 |
from . import utils |
208 | 208 |
admin_role = self.__class__.objects.get_admin_role( |
209 | 209 |
self, ou=self.ou, |
... | ... | |
212 | 212 |
slug='_a2-managers-of-role-{role}'.format( |
213 | 213 |
role=slugify(six.text_type(self))), |
214 | 214 |
permissions=(utils.get_view_user_perm(),), |
215 |
self_administered=True) |
|
215 |
self_administered=True, |
|
216 |
update_name=True, |
|
217 |
update_slug=True, |
|
218 |
create=create) |
|
216 | 219 |
return admin_role |
217 | 220 | |
218 | 221 |
def validate_unique(self, exclude=None): |
... | ... | |
237 | 240 |
# Service roles can only be part of the same ou as the service |
238 | 241 |
if self.service: |
239 | 242 |
self.ou = self.service.ou |
240 |
return super(Role, self).save(*args, **kwargs) |
|
243 |
result = super(Role, self).save(*args, **kwargs) |
|
244 |
self.get_admin_role(create=False) |
|
245 |
return result |
|
241 | 246 | |
242 | 247 |
def has_self_administration(self, op=CHANGE_OP): |
243 | 248 |
Permission = rbac_utils.get_permission_model() |
tests/test_a2_rbac.py | ||
---|---|---|
69 | 69 |
ou = OU.objects.create(name='ou', slug='ou') |
70 | 70 |
role = Role.objects.create(name='some role', ou=ou) |
71 | 71 |
role_dict = role.export_json() |
72 |
assert role_dict['ou'] == {'uuid': ou.uuid, 'slug': ou.slug, 'name': ou.name}
|
|
72 |
assert role_dict['ou'] == {'uuid': ou.uuid, 'slug': ou.slug, 'name': ou.name} |
|
73 | 73 | |
74 | 74 | |
75 | 75 |
def test_role_with_service_export_json(db): |
76 | 76 |
service = Service.objects.create(name='service name', slug='service-name') |
77 | 77 |
role = Role.objects.create(name='some role', service=service) |
78 | 78 |
role_dict = role.export_json() |
79 |
assert role_dict['service'] == {'slug': service.slug, 'ou': None}
|
|
79 |
assert role_dict['service'] == {'slug': service.slug, 'ou': None} |
|
80 | 80 | |
81 | 81 | |
82 | 82 |
def test_role_with_service_with_ou_export_json(db): |
... | ... | |
85 | 85 |
role = Role.objects.create(name='some role', service=service) |
86 | 86 |
role_dict = role.export_json() |
87 | 87 |
assert role_dict['service'] == { |
88 |
'slug': service.slug, 'ou': {'uuid': ou.uuid, 'slug': 'ou', 'name': 'ou'}}
|
|
88 |
'slug': service.slug, 'ou': {'uuid': ou.uuid, 'slug': 'ou', 'name': 'ou'}} |
|
89 | 89 | |
90 | 90 | |
91 | 91 |
def test_role_with_attributes_export_json(db): |
... | ... | |
218 | 218 |
assert Role.objects.filter(name__contains='r1', admin_scope_ct_id__isnull=False).count() == 0 |
219 | 219 | |
220 | 220 | |
221 |
def test_admin_cleanup_bulk_delete(db): |
|
222 |
r1 = Role.objects.create(name='r1') |
|
223 | ||
224 |
assert Role.objects.filter(name__contains='r1', admin_scope_ct_id__isnull=False).count() == 0 |
|
225 | ||
226 |
r1.get_admin_role() |
|
227 | ||
228 |
assert Role.objects.filter(name__contains='r1', admin_scope_ct_id__isnull=False).count() == 1 |
|
229 | ||
230 |
Role.objects.filter(name='r1').delete() |
|
231 | ||
232 |
assert Role.objects.filter(name__contains='r1', admin_scope_ct_id__isnull=False).count() == 0 |
|
233 | ||
234 | ||
221 | 235 |
def test_admin_cleanup_failure(db): |
222 | 236 |
Role.objects.create( |
223 | 237 |
name='manager of r1', |
... | ... | |
242 | 256 |
call_command('cleanupauthentic') |
243 | 257 | |
244 | 258 |
assert Role.objects.filter(name__contains='r1', admin_scope_ct_id__isnull=False).count() == 0 |
259 | ||
260 | ||
261 |
def test_role_rename(db): |
|
262 |
r1 = Role.objects.create(name='r1') |
|
263 |
assert r1.slug == 'r1' |
|
264 | ||
265 |
assert Role.objects.filter(name__contains='r1', admin_scope_ct_id__isnull=False).count() == 0 |
|
266 | ||
267 |
assert not r1.get_admin_role(create=False) |
|
268 | ||
269 |
assert Role.objects.filter(name__contains='r1', admin_scope_ct_id__isnull=False).count() == 0 |
|
270 | ||
271 |
ar1 = r1.get_admin_role() |
|
272 | ||
273 |
assert ar1 |
|
274 |
assert ar1.name == 'Managers of role "r1"' |
|
275 |
assert ar1.slug == '_a2-managers-of-role-r1' |
|
276 |
assert Role.objects.filter(name__contains='r1', admin_scope_ct_id__isnull=False).count() == 1 |
|
277 | ||
278 |
assert ar1.name == 'Managers of role "r1"' |
|
279 | ||
280 |
Role.objects.filter(pk=r1.pk).update(name='r1bis') |
|
281 | ||
282 |
r1.refresh_from_db() |
|
283 |
ar1.refresh_from_db() |
|
284 | ||
285 |
assert r1.name == 'r1bis' |
|
286 |
assert ar1.name == 'Managers of role "r1"' |
|
287 | ||
288 |
ar1 = r1.get_admin_role(create=False) |
|
289 | ||
290 |
assert ar1.name == 'Managers of role "r1bis"' |
|
291 |
assert ar1.slug == '_a2-managers-of-role-r1bis' |
|
292 | ||
293 |
r1.name = 'r1ter' |
|
294 |
r1.save() |
|
295 |
ar1.refresh_from_db() |
|
296 | ||
297 |
assert ar1.name == 'Managers of role "r1ter"' |
|
298 |
assert ar1.slug == '_a2-managers-of-role-r1ter' |
|
245 |
- |