OU consistency check between api client and roles at validation (#72703)

2022-12-22 11:46:46 +01:00 · 2022-12-22 11:46:46 +01:00 · 1d668a16bb
parent ed292f6515
commit 1d668a16bb
2 changed files with 40 additions and 4 deletions
--- a/src/authentic2/manager/forms.py
+++ b/src/authentic2/manager/forms.py
@ -939,6 +939,20 @@ class APIClientForm(forms.ModelForm):
        'apiclient_roles',
    )

+    def clean(self):
+        ou = self.cleaned_data['ou']
+        if ou:
+            unauthorized_roles = self.cleaned_data['apiclient_roles'].exclude(ou=ou)
+            if unauthorized_roles:
+                unauthorized_roles = ', '.join(unauthorized_roles.values_list('name', flat=True))
+                self.add_error(
+                    'apiclient_roles',
+                    _(
+                        f'The following roles do not belong to organizational unit {ou.name}: {unauthorized_roles}.'
+                    ),
+                )
+        return super().clean()
+
    class Meta:
        model = APIClient
        fields = (
--- a/tests/test_manager_apiclient.py
+++ b/tests/test_manager_apiclient.py
@ -20,6 +20,7 @@ import pytest
 from django.urls import reverse

 from authentic2.a2_rbac.models import Role
+from authentic2.a2_rbac.utils import get_default_ou
 from authentic2.models import APIClient

 from .utils import login
@ -159,8 +160,8 @@ def test_list_show_objects_local_admin(admin_ou1, app, ou1, ou2):

 def test_add(superuser, app):
    assert APIClient.objects.count() == 0
-    role_1 = Role.objects.create(name='role-1')
-    role_2 = Role.objects.create(name='role-2')
+    role_1 = Role.objects.create(name='role-1', ou=get_default_ou())
+    role_2 = Role.objects.create(name='role-2', ou=get_default_ou())
    resp = login(app, superuser, 'a2-manager-api-client-add')
    form = resp.form
    # password is prefilled
@ -195,8 +196,8 @@ def test_add_local_admin(admin_ou1, app, ou1, ou2):

 def test_add_description_non_mandatory(superuser, app):
    assert APIClient.objects.count() == 0
-    role_1 = Role.objects.create(name='role-1')
-    role_2 = Role.objects.create(name='role-2')
+    role_1 = Role.objects.create(name='role-1', ou=get_default_ou())
+    role_2 = Role.objects.create(name='role-2', ou=get_default_ou())
    resp = login(app, superuser, 'a2-manager-api-client-add')
    form = resp.form
    form.set('name', 'api-client-name')
@ -270,6 +271,27 @@ def test_edit(superuser, app, ou1, ou2):
    api_client = APIClient.objects.get(password='easy')
    assert api_client.identifier == 'foo-identifier'

+    resp = app.get(reverse('a2-manager-api-client-edit', kwargs={'pk': api_client.pk}))
+    form = resp.form
+    form.set('ou', ou2.id)
+    response = form.submit()
+    errmsg = response.pyquery('div.error')[0].text
+    assert "do not belong to organizational unit OU2: role-1, role-3." in errmsg
+    response.form.set('ou', ou2.id)
+    response.form['apiclient_roles'].force_value([])
+    response.form.submit().follow()
+    api_client = APIClient.objects.get()
+    assert set(api_client.apiclient_roles.all()) == set()
+    assert api_client.ou == ou2
+
+    resp = app.get(reverse('a2-manager-api-client-edit', kwargs={'pk': api_client.pk}))
+    form = resp.form
+    form['apiclient_roles'].force_value([role_2.id])
+    response = form.submit().follow()
+    api_client = APIClient.objects.get()
+    assert api_client.ou == ou2
+    assert set(api_client.apiclient_roles.all()) == {role_2}
+

 def test_edit_local_admin(admin_ou1, app, ou1, ou2):
    role_1 = Role.objects.create(name='role-1', ou=ou1)