Projet

Général

Profil

0004-OU-consistency-check-between-api-client-and-roles-at.patch

Paul Marillonnet, 23 décembre 2022 12:51

Télécharger (3,96 ko)

Voir les différences: 

Subject: [PATCH 4/4] OU consistency check between api client and roles at
 validation (#72703)


 src/authentic2/manager/forms.py | 14 ++++++++++++++
 tests/test_manager_apiclient.py | 30 ++++++++++++++++++++++++++----
 2 files changed, 40 insertions(+), 4 deletions(-)
src/authentic2/manager/forms.py
927 927 
        'apiclient_roles',
928 928 
    )
929 929 

  		




  
  930
  
    
    def clean(self):

  		




  
  931
  
    
        ou = self.cleaned_data['ou']

  		




  
  932
  
    
        if ou:

  		




  
  933
  
    
            unauthorized_roles = self.cleaned_data['apiclient_roles'].exclude(ou=ou)

  		




  
  934
  
    
            if unauthorized_roles:

  		




  
  935
  
    
                unauthorized_roles = ', '.join(unauthorized_roles.values_list('name', flat=True))

  		




  
  936
  
    
                self.add_error(

  		




  
  937
  
    
                    'apiclient_roles',

  		




  
  938
  
    
                    _(

  		




  
  939
  
    
                        f'The following roles do not belong to organizational unit {ou.name}: {unauthorized_roles}.'

  		




  
  940
  
    
                    ),

  		




  
  941
  
    
                )

  		




  
  942
  
    
        return super().clean()

  		




  
  943
  
    

  		




  930
  944
  
    
    class Meta:

  		




  931
  945
  
    
        model = APIClient

  		




  932
  946
  
    
        fields = (

  		












  

    
      tests/test_manager_apiclient.py
    
  





  20
  20
  
    
from django.urls import reverse

  		




  21
  21
  
    

  		




  22
  22
  
    
from authentic2.a2_rbac.models import Role

  		




  
  23
  
    
from authentic2.a2_rbac.utils import get_default_ou

  		




  23
  24
  
    
from authentic2.models import APIClient

  		




  24
  25
  
    

  		




  25
  26
  
    
from .utils import login

  		




  ......




  159
  160
  
    

  		




  160
  161
  
    
def test_add(superuser, app):

  		




  161
  162
  
    
    assert APIClient.objects.count() == 0

  		




  162
  
  
    
    role_1 = Role.objects.create(name='role-1')

  		




  163
  
  
    
    role_2 = Role.objects.create(name='role-2')

  		




  
  163
  
    
    role_1 = Role.objects.create(name='role-1', ou=get_default_ou())

  		




  
  164
  
    
    role_2 = Role.objects.create(name='role-2', ou=get_default_ou())

  		




  164
  165
  
    
    resp = login(app, superuser, 'a2-manager-api-client-add')

  		




  165
  166
  
    
    form = resp.form

  		




  166
  167
  
    
    # password is prefilled

  		




  ......




  195
  196
  
    

  		




  196
  197
  
    
def test_add_description_non_mandatory(superuser, app):

  		




  197
  198
  
    
    assert APIClient.objects.count() == 0

  		




  198
  
  
    
    role_1 = Role.objects.create(name='role-1')

  		




  199
  
  
    
    role_2 = Role.objects.create(name='role-2')

  		




  
  199
  
    
    role_1 = Role.objects.create(name='role-1', ou=get_default_ou())

  		




  
  200
  
    
    role_2 = Role.objects.create(name='role-2', ou=get_default_ou())

  		




  200
  201
  
    
    resp = login(app, superuser, 'a2-manager-api-client-add')

  		




  201
  202
  
    
    form = resp.form

  		




  202
  203
  
    
    form.set('name', 'api-client-name')

  		




  ......




  270
  271
  
    
    api_client = APIClient.objects.get(password='easy')

  		




  271
  272
  
    
    assert api_client.identifier == 'foo-identifier'

  		




  272
  273
  
    

  		




  
  274
  
    
    resp = app.get(reverse('a2-manager-api-client-edit', kwargs={'pk': api_client.pk}))

  		




  
  275
  
    
    form = resp.form

  		




  
  276
  
    
    form.set('ou', ou2.id)

  		




  
  277
  
    
    response = form.submit()

  		




  
  278
  
    
    errmsg = response.pyquery('div.error')[0].text

  		




  
  279
  
    
    assert "do not belong to organizational unit OU2: role-1, role-3." in errmsg

  		




  
  280
  
    
    response.form.set('ou', ou2.id)

  		




  
  281
  
    
    response.form['apiclient_roles'].force_value([])

  		




  
  282
  
    
    response.form.submit().follow()

  		




  
  283
  
    
    api_client = APIClient.objects.get()

  		




  
  284
  
    
    assert set(api_client.apiclient_roles.all()) == set()

  		




  
  285
  
    
    assert api_client.ou == ou2

  		




  
  286
  
    

  		




  
  287
  
    
    resp = app.get(reverse('a2-manager-api-client-edit', kwargs={'pk': api_client.pk}))

  		




  
  288
  
    
    form = resp.form

  		




  
  289
  
    
    form['apiclient_roles'].force_value([role_2.id])

  		




  
  290
  
    
    response = form.submit().follow()

  		




  
  291
  
    
    api_client = APIClient.objects.get()

  		




  
  292
  
    
    assert api_client.ou == ou2

  		




  
  293
  
    
    assert set(api_client.apiclient_roles.all()) == {role_2}

  		




  
  294
  
    

  		




  273
  295
  
    

  		




  274
  296
  
    
def test_edit_local_admin(admin_ou1, app, ou1, ou2):

  		




  275
  297
  
    
    role_1 = Role.objects.create(name='role-1', ou=ou1)

  		




  276
  
  
    
-