workflows: don't create missing roles if they're managed by an idp (#13933)

tests/test_admin_pages.py

@@ -32,7 +32,8 @@ from wcs.data_sources import NamedDataSource
 from wcs.wscalls import NamedWsCall
 from wcs.roles import Role
 from wcs.workflows import (Workflow, DisplayMessageWorkflowStatusItem,
-        WorkflowCriticalityLevel, WorkflowBackofficeFieldsFormDef)
+        WorkflowCriticalityLevel, WorkflowBackofficeFieldsFormDef,
+        CommentableWorkflowStatusItem)
 from wcs.wf.jump import JumpWorkflowStatusItem
 from wcs.wf.register_comment import RegisterCommenterWorkflowStatusItem
 from wcs.wf.wscall import WebserviceCallStatusItem
@@ -1607,6 +1608,66 @@ def test_workflows_export_import(pub):
     assert 'Invalid File' in resp.body
     assert Workflow.count() == 2
 
+def test_workflows_export_import_create_role(pub):
+    create_superuser(pub)
+
+    Role.wipe()
+    role = Role()
+    role.name = 'PLOP'
+    role.store()
+
+    Workflow.wipe()
+    workflow = Workflow(name='foo')
+    st1 = workflow.add_status(name='baz')
+    commentable = CommentableWorkflowStatusItem()
+    commentable.id = '_commentable'
+    commentable.by = [role.id]
+    st1.items.append(commentable)
+    commentable.parent = st1
+    workflow.store()
+
+    app = login(get_app(pub))
+    resp = app.get('/backoffice/workflows/1/')
+    resp = resp.click('Export')
+    assert resp.content_type == 'application/x-wcs-form'
+    wf_export = resp.body
+
+    resp = app.get('/backoffice/workflows/')
+    resp = resp.click('Import')
+    resp.form['file'] = Upload('xxx.wcs', wf_export)
+    resp = resp.form.submit('submit')
+    assert resp.location == 'http://example.net/backoffice/workflows/2/'
+    resp = resp.follow()
+    assert 'This workflow has been successfully imported' in resp.body
+    assert Workflow.get(2).name == 'Copy of foo'
+    assert Workflow.get(2).possible_status[0].items[0].by == [role.id]
+
+    role.remove_self()
+
+    # automatically create role
+    resp = app.get('/backoffice/workflows/')
+    resp = resp.click('Import')
+    resp.form['file'] = Upload('xxx.wcs', wf_export)
+    resp = resp.form.submit('submit')
+    assert resp.location == 'http://example.net/backoffice/workflows/3/'
+    resp = resp.follow()
+    assert 'This workflow has been successfully imported' in resp.body
+    assert Workflow.get(3).name == 'Copy of foo (2)'
+    assert Role.count() == 1
+    assert Role.select()[0].name == 'PLOP'
+    assert Workflow.get(2).possible_status[0].items[0].by == [Role.select()[0].id]
+
+    # don't create role if they are managed by the identity provider
+    Role.wipe()
+
+    pub.cfg['sp'] = {'idp-manage-roles': True}
+    pub.write_cfg()
+    resp = app.get('/backoffice/workflows/')
+    resp = resp.click('Import')
+    resp.form['file'] = Upload('xxx.wcs', wf_export)
+    resp = resp.form.submit('submit')
+    assert 'Invalid File (Unknown referenced role (PLOP))' in resp.body
+
 def test_workflows_duplicate(pub):
     create_superuser(pub)
 

wcs/admin/workflows.py

@@ -1891,7 +1891,7 @@ class WorkflowsDirectory(Directory):
             workflow = Workflow.import_from_xml(fp)
         except WorkflowImportError, e:
             error = True
-            reason = _(e)
+            reason = _(e) % e.msg_args
         except ValueError:
             error = True
 

wcs/workflows.py

@@ -78,7 +78,9 @@ def perform_items(items, formdata, depth=20):
 
 
 class WorkflowImportError(Exception):
-    pass
+    def __init__(self, msg, msg_args=None):
+        super(Exception, self).__init__(msg)
+        self.msg_args = msg_args or ()
 
 
 class AbortActionException(Exception):
@@ -921,6 +923,10 @@ class XmlSerialisable(object):
             if role.name == value:
                 return role.id
 
+        # if the roles are managed by the idp, don't try further.
+        if get_publisher() and get_cfg('sp', {}).get('idp-manage-roles') is True:
+            raise WorkflowImportError(N_('Unknown referenced role (%s)'), (value,))
+
         # and if there's no match, create a new role
         role = Role()
         role.name = value