models: add ou field to api clients (#71275)
This commit is contained in:
parent
d542d33af8
commit
a7ffb583f8
|
@ -0,0 +1,28 @@
|
|||
# Generated by Django 2.2.26 on 2022-11-17 09:11
|
||||
|
||||
import django.db.models.deletion
|
||||
from django.conf import settings
|
||||
from django.db import migrations, models
|
||||
|
||||
import authentic2.a2_rbac.utils
|
||||
|
||||
|
||||
class Migration(migrations.Migration):
|
||||
|
||||
dependencies = [
|
||||
('a2_rbac', '0036_delete_roleattribute'),
|
||||
('authentic2', '0045_smscode'),
|
||||
]
|
||||
|
||||
operations = [
|
||||
migrations.AddField(
|
||||
model_name='apiclient',
|
||||
name='ou',
|
||||
field=models.ForeignKey(
|
||||
on_delete=django.db.models.deletion.CASCADE,
|
||||
to=settings.RBAC_OU_MODEL,
|
||||
verbose_name='organizational unit',
|
||||
default=authentic2.a2_rbac.utils.get_default_ou_pk,
|
||||
),
|
||||
),
|
||||
]
|
|
@ -721,6 +721,13 @@ class APIClient(models.Model):
|
|||
related_name='apiclients',
|
||||
blank=True,
|
||||
)
|
||||
ou = models.ForeignKey(
|
||||
verbose_name=_('organizational unit'),
|
||||
to='a2_rbac.OrganizationalUnit',
|
||||
swappable=False,
|
||||
on_delete=models.CASCADE,
|
||||
default=get_default_ou_pk,
|
||||
)
|
||||
|
||||
class Meta:
|
||||
verbose_name = _('APIClient')
|
||||
|
|
|
@ -417,7 +417,7 @@ def test_no_managed_ct(transactional_db, settings):
|
|||
assert Role.objects.count() == 7
|
||||
OU.objects.create(name='OU1', slug='ou1')
|
||||
emit_post_migrate_signal(verbosity=0, interactive=False, db='default', created_models=[])
|
||||
assert Role.objects.count() == 7 + 5 + 5
|
||||
assert Role.objects.count() == 7 + 6 + 6
|
||||
settings.A2_RBAC_MANAGED_CONTENT_TYPES = ()
|
||||
call_command('flush', verbosity=0, interactive=False, database='default', reset_sequences=False)
|
||||
assert Role.objects.count() == 0
|
||||
|
@ -468,15 +468,17 @@ def test_manager_roles_multi_ou(db, ou1):
|
|||
role_manager = Role.objects.get(ou=ou, slug=f'_a2-manager-of-roles-{ou.slug}')
|
||||
service_manager = Role.objects.get(ou=ou, slug=f'_a2-manager-of-services-{ou.slug}')
|
||||
authenticator_manager = Role.objects.get(ou=ou, slug=f'_a2-manager-of-authenticators-{ou.slug}')
|
||||
apiclients_manager = Role.objects.get(ou=ou, slug=f'_a2-manager-of-api-clients-{ou.slug}')
|
||||
|
||||
assert user_manager in manager.parents()
|
||||
assert role_manager in manager.parents()
|
||||
assert service_manager in manager.parents()
|
||||
assert authenticator_manager in manager.parents()
|
||||
assert manager.parents(include_self=False).count() == 4
|
||||
assert apiclients_manager in manager.parents()
|
||||
assert manager.parents(include_self=False).count() == 5
|
||||
|
||||
# 7 global roles and 5 ou roles for both ous (api clients aren't ou-managed yet)
|
||||
assert Role.objects.count() == 7 + 5 + 5
|
||||
# 7 global roles and 6 ou roles for both ous
|
||||
assert Role.objects.count() == 7 + 6 + 6
|
||||
|
||||
|
||||
@pytest.mark.parametrize(
|
||||
|
|
|
@ -34,6 +34,22 @@ def test_has_perm(api_client):
|
|||
assert api_client.has_perm('a2_rbac.add_role')
|
||||
|
||||
|
||||
def test_has_perm_ou(api_client, ou1):
|
||||
role_ct = ContentType.objects.get_for_model(Role)
|
||||
role_admin_role = Role.objects.get_admin_role(role_ct, 'admin %s' % role_ct, 'admin-role')
|
||||
api_client = APIClient.objects.create(name='foo', ou=ou1)
|
||||
assert not api_client.has_ou_perm('a2_rbac.change_role', ou1)
|
||||
assert not api_client.has_ou_perm('a2_rbac.view_role', ou1)
|
||||
assert not api_client.has_ou_perm('a2_rbac.delete_role', ou1)
|
||||
assert not api_client.has_ou_perm('a2_rbac.add_role', ou1)
|
||||
role_admin_role.apiclients.add(api_client)
|
||||
del api_client._rbac_perms_cache
|
||||
assert api_client.has_ou_perm('a2_rbac.change_role', ou1)
|
||||
assert api_client.has_ou_perm('a2_rbac.view_role', ou1)
|
||||
assert api_client.has_ou_perm('a2_rbac.delete_role', ou1)
|
||||
assert api_client.has_ou_perm('a2_rbac.add_role', ou1)
|
||||
|
||||
|
||||
def test_api_users_list(app, api_client):
|
||||
User.objects.create(username='user1')
|
||||
|
||||
|
|
|
@ -592,7 +592,7 @@ def test_manager_many_ou(app, superuser, admin, simple_role, role_ou1, admin_ou1
|
|||
response.form.set('search-internals', True)
|
||||
response = response.form.submit()
|
||||
q = response.pyquery.remove_namespaces()
|
||||
assert len(q('table tbody tr')) == 19
|
||||
assert len(q('table tbody tr')) == 21
|
||||
for elt in q('table tbody td.name a'):
|
||||
assert (
|
||||
'OU1' in elt.text
|
||||
|
@ -653,9 +653,16 @@ def test_manager_many_ou(app, superuser, admin, simple_role, role_ou1, admin_ou1
|
|||
response.form.set('search-internals', True)
|
||||
response = response.form.submit()
|
||||
q = response.pyquery.remove_namespaces()
|
||||
assert len(q('table tbody tr')) == 5
|
||||
assert len(q('table tbody tr')) == 6
|
||||
names = {elt.text for elt in q('table tbody td.name a')}
|
||||
assert names == {'Roles - OU1', 'Users - OU1', 'Services - OU1', 'role_ou1', 'Authenticators - OU1'}
|
||||
assert names == {
|
||||
'Roles - OU1',
|
||||
'Users - OU1',
|
||||
'Services - OU1',
|
||||
'role_ou1',
|
||||
'Authenticators - OU1',
|
||||
'API clients - OU1',
|
||||
}
|
||||
|
||||
# test role listing
|
||||
response = app.get('/manage/roles/')
|
||||
|
@ -674,9 +681,16 @@ def test_manager_many_ou(app, superuser, admin, simple_role, role_ou1, admin_ou1
|
|||
response.form.set('search-internals', True)
|
||||
response = response.form.submit()
|
||||
q = response.pyquery.remove_namespaces()
|
||||
assert len(q('table tbody tr')) == 5
|
||||
assert len(q('table tbody tr')) == 6
|
||||
names = {elt.text for elt in q('table tbody td.name a')}
|
||||
assert names == {'Roles - OU1', 'Users - OU1', 'Services - OU1', 'role_ou1', 'Authenticators - OU1'}
|
||||
assert names == {
|
||||
'Roles - OU1',
|
||||
'Users - OU1',
|
||||
'Services - OU1',
|
||||
'role_ou1',
|
||||
'Authenticators - OU1',
|
||||
'API clients - OU1',
|
||||
}
|
||||
|
||||
test_user_listing_ou_admin(admin_ou1)
|
||||
|
||||
|
|
|
@ -524,14 +524,16 @@ def test_role_members_user_role_mixed_field_choices(
|
|||
assert select2_json['more'] is True
|
||||
|
||||
select2_json = request_select2(app, resp, fetch_all=True)
|
||||
assert len(select2_json['results']) == 21
|
||||
assert len(select2_json['results']) == 23
|
||||
choices = [x['text'] for x in select2_json['results']]
|
||||
assert choices == [
|
||||
'Default organizational unit - API clients - Default organizational unit',
|
||||
'Default organizational unit - Authenticators - Default organizational unit',
|
||||
'Default organizational unit - Managers of role "simple role"',
|
||||
'Default organizational unit - Roles - Default organizational unit',
|
||||
'Default organizational unit - Services - Default organizational unit',
|
||||
'Default organizational unit - Users - Default organizational unit',
|
||||
'OU1 - API clients - OU1',
|
||||
'OU1 - Authenticators - OU1',
|
||||
'OU1 - role_ou1',
|
||||
'OU1 - Roles - OU1',
|
||||
|
|
Loading…
Reference in New Issue