Projet

Général

Profil

0002-misc-fix-admin-role-bad-permissions-using-get_admin_.patch

Benjamin Dauvergne, 22 octobre 2020 13:37

Télécharger (5,23 ko)

Voir les différences: 

Subject: [PATCH 2/3] misc: fix admin role bad permissions using get_admin_role
 (#42179)


 .../management/commands/check-and-repair.py    | 17 ++++++++++-------
 tests/test_commands.py                         | 18 ++++++++++++++----
 2 files changed, 24 insertions(+), 11 deletions(-)
src/authentic2/management/commands/check-and-repair.py
331 331 
            count = admin_permissions.count()
332 332 
            if not count:
333 333 
                self.warning('invalid admin role "%s" no admin permission', admin_role)
334 
            elif count > 1:
335 
                self.warning('invalid admin role "%s" too many admin permissions', admin_role)
334 
            elif count != 2:
335 
                self.warning('invalid admin role "%s" too few or too many admin permissions', admin_role)
336 336 
                for admin_permission in admin_permissions:
337 337 
                    self.notice(' - %s', admin_permission)
338 338 
            for admin_permission in admin_permissions:
339 339 
                if MANAGE_MEMBERS_OP and admin_permission.operation != manage_members_op:
340 340 
                    self.warning('invalid admin role "%s" invalid permission "%s": not manage_members operation',
341 341 
                                 admin_role, admin_permission)
342 
                if admin_permission != admin_role.admin_scope:
343 
                    self.warning('invalid admin role "%s" invalid permission "%s": not admin_scope',
344 
                                 admin_role, admin_permission)
345 
                if admin_permission.ou != admin_permission.target.ou:
346 
                    self.warning('invalid admin role "%s" invalid permission "%s": wrong ou',
342 
                if not (
343 
                        (admin_permission.target != admin_role and admin_permission == admin_role.admin_scope)
344 
                        or (admin_permission.target == admin_role)):
345 
                    self.warning('invalid admin role "%s" invalid permission "%s": not admin_scope and not self manage permission',
347 346 
                                 admin_role, admin_permission)
347 
                if admin_permission.ou is not None:
348 
                    self.warning('invalid admin role "%s" invalid permission "%s": wrong ou "%s"',
349 
                                 admin_role, admin_permission, admin_permission.ou)
350 
                    admin_permission.target.get_admin_role()
348 351 
                if admin_permission.target.ou != admin_role.ou:
349 352 
                    self.warning('invalid admin role "%s" wrong ou, should be "%s" is "%s"',
350 353 
                                 admin_role, admin_permission.target.ou, admin_role.ou)
tests/test_commands.py
25 25 
from django.utils.timezone import now
26 26 
import py
27 27 

  		




  
  28
  
    
from authentic2.a2_rbac.models import MANAGE_MEMBERS_OP

  		




  28
  29
  
    
from authentic2.a2_rbac.utils import get_default_ou

  		




  29
  30
  
    
from authentic2.models import UserExternalId

  		




  30
  31
  
    
from authentic2_auth_oidc.models import OIDCProvider, OIDCAccount

  		




  ......




  299
  300
  
    
    role1 = Role.objects.create(name='Role 1', slug='role-1', ou=default_ou)

  		




  300
  301
  
    
    perm1 = Permission.objects.create(

  		




  301
  302
  
    
        operation=admin_op, target_id=role1.id,

  		




  
  303
  
    
        ou=default_ou,

  		




  302
  304
  
    
        target_ct=ContentType.objects.get_for_model(Role))

  		




  303
  305
  
    

  		




  304
  306
  
    
    manager_role1 = Role.objects.create(

  		




  ......




  312
  314
  
    
    captured = capsys.readouterr()

  		




  313
  315
  
    
    assert '"Managers of Role 1": no admin scope' in captured.out

  		




  314
  316
  
    
    assert 'Managers of Role 1" wrong ou, should be "Default organizational unit"' in captured.out

  		




  315
  
  
    
    assert 'invalid permission "Management / role / Role 1": not manage_members operation' in captured.out

  		




  316
  
  
    
    assert 'invalid permission "Management / role / Role 1": not admin_scope' in captured.out

  		




  317
  
  
    
    assert 'invalid permission "Management / role / Role 1": wrong ou' in captured.out

  		




  318
  
  
    

  		




  
  317
  
    
    assert 'invalid permission "Management / role / Role 1 (scope "Default organizational unit")": not manage_members operation' in captured.out

  		




  
  318
  
    
    assert 'invalid permission "Management / role / Role 1 (scope "Default organizational unit")": not admin_scope' in captured.out

  		




  
  319
  
    
    assert 'invalid permission "Management / role / Role 1 (scope "Default organizational unit")": wrong ou' in captured.out

  		




  
  320
  
    

  		




  
  321
  
    
    perm1 = Permission.objects.get(operation=admin_op, target_id=role1.id)

  		




  
  322
  
    
    assert perm1.ou == default_ou

  		




  
  323
  
    
    manage_members_op = get_operation(MANAGE_MEMBERS_OP)

  		




  
  324
  
    
    perm1.op = manage_members_op

  		




  
  325
  
    
    perm1.save()

  		




  
  326
  
    
    call_command('check-and-repair', '--repair', '--noinput')

  		




  
  327
  
    
    perm1 = Permission.objects.get(operation=manage_members_op, target_id=role1.id)

  		




  
  328
  
    
    assert perm1.ou is None

  		




  319
  329
  
    

  		




  320
  330
  
    
def test_check_and_delete_unused_permissions(db, capsys, simple_user):

  		




  321
  331
  
    
    Permission = get_permission_model()

  		




  322
  
  
    
-