models: add ou field to api clients (#71275)

2022-11-17 10:13:53 +01:00 · 2022-11-17 10:13:53 +01:00 · a7ffb583f8
parent d542d33af8
commit a7ffb583f8
6 changed files with 79 additions and 10 deletions
--- a/src/authentic2/migrations/0044_apiclient_ou.py
+++ b/src/authentic2/migrations/0044_apiclient_ou.py
@ -0,0 +1,28 @@
+# Generated by Django 2.2.26 on 2022-11-17 09:11
+
+import django.db.models.deletion
+from django.conf import settings
+from django.db import migrations, models
+
+import authentic2.a2_rbac.utils
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('a2_rbac', '0036_delete_roleattribute'),
+        ('authentic2', '0045_smscode'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='apiclient',
+            name='ou',
+            field=models.ForeignKey(
+                on_delete=django.db.models.deletion.CASCADE,
+                to=settings.RBAC_OU_MODEL,
+                verbose_name='organizational unit',
+                default=authentic2.a2_rbac.utils.get_default_ou_pk,
+            ),
+        ),
+    ]
--- a/src/authentic2/models.py
+++ b/src/authentic2/models.py
@ -721,6 +721,13 @@ class APIClient(models.Model):
        related_name='apiclients',
        blank=True,
    )
+    ou = models.ForeignKey(
+        verbose_name=_('organizational unit'),
+        to='a2_rbac.OrganizationalUnit',
+        swappable=False,
+        on_delete=models.CASCADE,
+        default=get_default_ou_pk,
+    )

    class Meta:
        verbose_name = _('APIClient')
--- a/tests/test_a2_rbac.py
+++ b/tests/test_a2_rbac.py
@ -417,7 +417,7 @@ def test_no_managed_ct(transactional_db, settings):
    assert Role.objects.count() == 7
    OU.objects.create(name='OU1', slug='ou1')
    emit_post_migrate_signal(verbosity=0, interactive=False, db='default', created_models=[])
-    assert Role.objects.count() == 7 + 5 + 5
+    assert Role.objects.count() == 7 + 6 + 6
    settings.A2_RBAC_MANAGED_CONTENT_TYPES = ()
    call_command('flush', verbosity=0, interactive=False, database='default', reset_sequences=False)
    assert Role.objects.count() == 0
@ -468,15 +468,17 @@ def test_manager_roles_multi_ou(db, ou1):
        role_manager = Role.objects.get(ou=ou, slug=f'_a2-manager-of-roles-{ou.slug}')
        service_manager = Role.objects.get(ou=ou, slug=f'_a2-manager-of-services-{ou.slug}')
        authenticator_manager = Role.objects.get(ou=ou, slug=f'_a2-manager-of-authenticators-{ou.slug}')
+        apiclients_manager = Role.objects.get(ou=ou, slug=f'_a2-manager-of-api-clients-{ou.slug}')

        assert user_manager in manager.parents()
        assert role_manager in manager.parents()
        assert service_manager in manager.parents()
        assert authenticator_manager in manager.parents()
-        assert manager.parents(include_self=False).count() == 4
+        assert apiclients_manager in manager.parents()
+        assert manager.parents(include_self=False).count() == 5

-    # 7 global roles and 5 ou roles for both ous (api clients aren't ou-managed yet)
-    assert Role.objects.count() == 7 + 5 + 5
+    # 7 global roles and 6 ou roles for both ous
+    assert Role.objects.count() == 7 + 6 + 6


@pytest.mark.parametrize(
--- a/tests/test_api_client.py
+++ b/tests/test_api_client.py
@ -34,6 +34,22 @@ def test_has_perm(api_client):
    assert api_client.has_perm('a2_rbac.add_role')


+def test_has_perm_ou(api_client, ou1):
+    role_ct = ContentType.objects.get_for_model(Role)
+    role_admin_role = Role.objects.get_admin_role(role_ct, 'admin %s' % role_ct, 'admin-role')
+    api_client = APIClient.objects.create(name='foo', ou=ou1)
+    assert not api_client.has_ou_perm('a2_rbac.change_role', ou1)
+    assert not api_client.has_ou_perm('a2_rbac.view_role', ou1)
+    assert not api_client.has_ou_perm('a2_rbac.delete_role', ou1)
+    assert not api_client.has_ou_perm('a2_rbac.add_role', ou1)
+    role_admin_role.apiclients.add(api_client)
+    del api_client._rbac_perms_cache
+    assert api_client.has_ou_perm('a2_rbac.change_role', ou1)
+    assert api_client.has_ou_perm('a2_rbac.view_role', ou1)
+    assert api_client.has_ou_perm('a2_rbac.delete_role', ou1)
+    assert api_client.has_ou_perm('a2_rbac.add_role', ou1)
+
+
 def test_api_users_list(app, api_client):
    User.objects.create(username='user1')

--- a/tests/test_manager.py
+++ b/tests/test_manager.py
@ -592,7 +592,7 @@ def test_manager_many_ou(app, superuser, admin, simple_role, role_ou1, admin_ou1
        response.form.set('search-internals', True)
        response = response.form.submit()
        q = response.pyquery.remove_namespaces()
-        assert len(q('table tbody tr')) == 19
+        assert len(q('table tbody tr')) == 21
        for elt in q('table tbody td.name a'):
            assert (
                'OU1' in elt.text
@ -653,9 +653,16 @@ def test_manager_many_ou(app, superuser, admin, simple_role, role_ou1, admin_ou1
        response.form.set('search-internals', True)
        response = response.form.submit()
        q = response.pyquery.remove_namespaces()
-        assert len(q('table tbody tr')) == 5
+        assert len(q('table tbody tr')) == 6
        names = {elt.text for elt in q('table tbody td.name a')}
-        assert names == {'Roles - OU1', 'Users - OU1', 'Services - OU1', 'role_ou1', 'Authenticators - OU1'}
+        assert names == {
+            'Roles - OU1',
+            'Users - OU1',
+            'Services - OU1',
+            'role_ou1',
+            'Authenticators - OU1',
+            'API clients - OU1',
+        }

        # test role listing
        response = app.get('/manage/roles/')
@ -674,9 +681,16 @@ def test_manager_many_ou(app, superuser, admin, simple_role, role_ou1, admin_ou1
        response.form.set('search-internals', True)
        response = response.form.submit()
        q = response.pyquery.remove_namespaces()
-        assert len(q('table tbody tr')) == 5
+        assert len(q('table tbody tr')) == 6
        names = {elt.text for elt in q('table tbody td.name a')}
-        assert names == {'Roles - OU1', 'Users - OU1', 'Services - OU1', 'role_ou1', 'Authenticators - OU1'}
+        assert names == {
+            'Roles - OU1',
+            'Users - OU1',
+            'Services - OU1',
+            'role_ou1',
+            'Authenticators - OU1',
+            'API clients - OU1',
+        }

    test_user_listing_ou_admin(admin_ou1)

--- a/tests/test_role_manager.py
+++ b/tests/test_role_manager.py
@ -524,14 +524,16 @@ def test_role_members_user_role_mixed_field_choices(
    assert select2_json['more'] is True

    select2_json = request_select2(app, resp, fetch_all=True)
-    assert len(select2_json['results']) == 21
+    assert len(select2_json['results']) == 23
    choices = [x['text'] for x in select2_json['results']]
    assert choices == [
+        'Default organizational unit - API clients - Default organizational unit',
        'Default organizational unit - Authenticators - Default organizational unit',
        'Default organizational unit - Managers of role "simple role"',
        'Default organizational unit - Roles - Default organizational unit',
        'Default organizational unit - Services - Default organizational unit',
        'Default organizational unit - Users - Default organizational unit',
+        'OU1 - API clients - OU1',
        'OU1 - Authenticators - OU1',
        'OU1 - role_ou1',
        'OU1 - Roles - OU1',