From 89814b519b198cc67518e7dc4856e5425df64809 Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Thu, 15 Oct 2020 12:30:14 +0200
Subject: [PATCH] misc: fix admin role bad permissions using get_admin_role
 (#42179)

---
 .../management/commands/check-and-repair.py     | 17 ++++++++++-------
 tests/test_commands.py                          | 16 +++++++++++++---
 2 files changed, 23 insertions(+), 10 deletions(-)

diff --git a/src/authentic2/management/commands/check-and-repair.py b/src/authentic2/management/commands/check-and-repair.py
index b2c09605d..8e2ab34cc 100644
--- a/src/authentic2/management/commands/check-and-repair.py
+++ b/src/authentic2/management/commands/check-and-repair.py
@@ -331,20 +331,23 @@ class Command(BaseCommand):
             count = admin_permissions.count()
             if not count:
                 self.warning('invalid admin role "%s" no admin permission', admin_role)
-            elif count > 1:
-                self.warning('invalid admin role "%s" too many admin permissions', admin_role)
+            elif count != 2:
+                self.warning('invalid admin role "%s" too few or too many admin permissions', admin_role)
                 for admin_permission in admin_permissions:
                     self.notice(' - %s', admin_permission)
             for admin_permission in admin_permissions:
                 if MANAGE_MEMBERS_OP and admin_permission.operation != manage_members_op:
                     self.warning('invalid admin role "%s" invalid permission "%s": not manage_members operation',
                                  admin_role, admin_permission)
-                if admin_permission != admin_role.admin_scope:
-                    self.warning('invalid admin role "%s" invalid permission "%s": not admin_scope',
-                                 admin_role, admin_permission)
-                if admin_permission.ou != admin_permission.target.ou:
-                    self.warning('invalid admin role "%s" invalid permission "%s": wrong ou',
+                if not (
+                        (admin_permission.target != admin_role and admin_permission == admin_role.admin_scope)
+                        or (admin_permission.target == admin_role)):
+                    self.warning('invalid admin role "%s" invalid permission "%s": not admin_scope and not self manage permission',
                                  admin_role, admin_permission)
+                if admin_permission.ou is not None:
+                    self.warning('invalid admin role "%s" invalid permission "%s": wrong ou "%s"',
+                                 admin_role, admin_permission, admin_permission.ou)
+                    admin_permission.target.get_admin_role()
                 if admin_permission.target.ou != admin_role.ou:
                     self.warning('invalid admin role "%s" wrong ou, should be "%s" is "%s"',
                                  admin_role, admin_permission.target.ou, admin_role.ou)
diff --git a/tests/test_commands.py b/tests/test_commands.py
index 838ad1004..ac80ad6c4 100644
--- a/tests/test_commands.py
+++ b/tests/test_commands.py
@@ -25,6 +25,7 @@ from django.utils import six
 from django.utils.timezone import now
 import py
 
+from authentic2.a2_rbac.models import MANAGE_MEMBERS_OP
 from authentic2.a2_rbac.utils import get_default_ou
 from authentic2.models import UserExternalId
 from authentic2_auth_oidc.models import OIDCProvider, OIDCAccount
@@ -299,6 +300,7 @@ def test_check_and_repair_managers_of_roles(db, capsys):
     role1 = Role.objects.create(name='Role 1', slug='role-1', ou=default_ou)
     perm1 = Permission.objects.create(
         operation=admin_op, target_id=role1.id,
+        ou=default_ou,
         target_ct=ContentType.objects.get_for_model(Role))
 
     manager_role1 = Role.objects.create(
@@ -312,10 +314,18 @@ def test_check_and_repair_managers_of_roles(db, capsys):
     captured = capsys.readouterr()
     assert '"Managers of Role 1": no admin scope' in captured.out
     assert 'Managers of Role 1" wrong ou, should be "Default organizational unit"' in captured.out
-    assert 'invalid permission "Management / role / Role 1": not manage_members operation' in captured.out
-    assert 'invalid permission "Management / role / Role 1": not admin_scope' in captured.out
-    assert 'invalid permission "Management / role / Role 1": wrong ou' in captured.out
+    assert 'invalid permission "Management / role / Role 1 (scope "Default organizational unit")": not manage_members operation' in captured.out
+    assert 'invalid permission "Management / role / Role 1 (scope "Default organizational unit")": not admin_scope' in captured.out
+    assert 'invalid permission "Management / role / Role 1 (scope "Default organizational unit")": wrong ou' in captured.out
 
+    perm1 = Permission.objects.get(operation=admin_op, target_id=role1.id)
+    assert perm1.ou == default_ou
+    manage_members_op = get_operation(MANAGE_MEMBERS_OP)
+    perm1.op = manage_members_op
+    perm1.save()
+    call_command('check-and-repair', '--repair', '--noinput')
+    perm1 = Permission.objects.get(operation=manage_members_op, target_id=role1.id)
+    assert perm1.ou is None
 
 def test_check_and_delete_unused_permissions(db, capsys, simple_user):
     Permission = get_permission_model()