|
|
|
|
|
# Copyright (C) 2010-2023 RhodeCode GmbH
|
|
|
#
|
|
|
# This program is free software: you can redistribute it and/or modify
|
|
|
# it under the terms of the GNU Affero General Public License, version 3
|
|
|
# (only), as published by the Free Software Foundation.
|
|
|
#
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
# GNU General Public License for more details.
|
|
|
#
|
|
|
# You should have received a copy of the GNU Affero General Public License
|
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
#
|
|
|
# This program is dual-licensed. If you wish to learn more about the
|
|
|
# RhodeCode Enterprise Edition, including its added features, Support services,
|
|
|
# and proprietary license terms, please see https://rhodecode.com/licenses/
|
|
|
|
|
|
import functools
|
|
|
|
|
|
import pytest
|
|
|
|
|
|
from rhodecode.model.db import RepoGroup, User
|
|
|
from rhodecode.model.meta import Session
|
|
|
from rhodecode.model.repo_group import RepoGroupModel
|
|
|
from rhodecode.tests.models.common import (
|
|
|
_create_project_tree, check_tree_perms, _get_perms, _check_expected_count,
|
|
|
expected_count, _destroy_project_tree)
|
|
|
|
|
|
|
|
|
test_u1_id = None
|
|
|
_get_repo_perms = None
|
|
|
_get_group_perms = None
|
|
|
|
|
|
|
|
|
@pytest.fixture(autouse=True)
|
|
|
def setup_read_permission():
|
|
|
permissions_setup_func()
|
|
|
|
|
|
|
|
|
def permissions_setup_func(group_name='g0', perm='group.read', recursive='all',
|
|
|
user_id=None):
|
|
|
"""
|
|
|
Resets all permissions to perm attribute
|
|
|
"""
|
|
|
if not user_id:
|
|
|
user_id = test_u1_id
|
|
|
# called by the @with_setup decorator also reset the default user stuff
|
|
|
permissions_setup_func(group_name, perm, recursive,
|
|
|
user_id=User.get_default_user_id())
|
|
|
|
|
|
# TODO: DRY, compare test_user_group:permissions_setup_func
|
|
|
repo_group = RepoGroup.get_by_group_name(group_name=group_name)
|
|
|
if not repo_group:
|
|
|
raise Exception('Cannot get group %s' % group_name)
|
|
|
|
|
|
perm_updates = [[user_id, perm, 'user']]
|
|
|
RepoGroupModel().update_permissions(repo_group,
|
|
|
perm_updates=perm_updates,
|
|
|
recursive=recursive, check_perms=False)
|
|
|
Session().commit()
|
|
|
|
|
|
|
|
|
@pytest.fixture(scope='module', autouse=True)
|
|
|
def prepare(request, baseapp):
|
|
|
global test_u1_id, _get_repo_perms, _get_group_perms
|
|
|
test_u1 = _create_project_tree()
|
|
|
Session().commit()
|
|
|
test_u1_id = test_u1.user_id
|
|
|
_get_repo_perms = functools.partial(_get_perms, key='repositories',
|
|
|
test_u1_id=test_u1_id)
|
|
|
_get_group_perms = functools.partial(_get_perms, key='repositories_groups',
|
|
|
test_u1_id=test_u1_id)
|
|
|
|
|
|
@request.addfinalizer
|
|
|
def cleanup():
|
|
|
_destroy_project_tree(test_u1_id)
|
|
|
|
|
|
|
|
|
def test_user_permissions_on_group_without_recursive_mode():
|
|
|
# set permission to g0 non-recursive mode
|
|
|
recursive = 'none'
|
|
|
group = 'g0'
|
|
|
permissions_setup_func(group, 'group.write', recursive=recursive)
|
|
|
|
|
|
items = [x for x in _get_repo_perms(group, recursive)]
|
|
|
expected = 0
|
|
|
assert len(items) == expected, ' %s != %s' % (len(items), expected)
|
|
|
for name, perm in items:
|
|
|
check_tree_perms(name, perm, group, 'repository.read')
|
|
|
|
|
|
items = [x for x in _get_group_perms(group, recursive)]
|
|
|
expected = 1
|
|
|
assert len(items) == expected, ' %s != %s' % (len(items), expected)
|
|
|
for name, perm in items:
|
|
|
check_tree_perms(name, perm, group, 'group.write')
|
|
|
|
|
|
|
|
|
def test_user_permissions_on_group_without_recursive_mode_subgroup():
|
|
|
# set permission to g0 non-recursive mode
|
|
|
recursive = 'none'
|
|
|
group = 'g0/g0_1'
|
|
|
permissions_setup_func(group, 'group.write', recursive=recursive)
|
|
|
|
|
|
items = [x for x in _get_repo_perms(group, recursive)]
|
|
|
expected = 0
|
|
|
assert len(items) == expected, ' %s != %s' % (len(items), expected)
|
|
|
for name, perm in items:
|
|
|
check_tree_perms(name, perm, group, 'repository.read')
|
|
|
|
|
|
items = [x for x in _get_group_perms(group, recursive)]
|
|
|
expected = 1
|
|
|
assert len(items) == expected, ' %s != %s' % (len(items), expected)
|
|
|
for name, perm in items:
|
|
|
check_tree_perms(name, perm, group, 'group.write')
|
|
|
|
|
|
|
|
|
def test_user_permissions_on_group_with_recursive_mode():
|
|
|
|
|
|
# set permission to g0 recursive mode, all children including
|
|
|
# other repos and groups should have this permission now set !
|
|
|
recursive = 'all'
|
|
|
group = 'g0'
|
|
|
permissions_setup_func(group, 'group.write', recursive=recursive)
|
|
|
|
|
|
repo_items = [x for x in _get_repo_perms(group, recursive)]
|
|
|
items = [x for x in _get_group_perms(group, recursive)]
|
|
|
_check_expected_count(items, repo_items, expected_count(group, True))
|
|
|
|
|
|
for name, perm in repo_items:
|
|
|
check_tree_perms(name, perm, group, 'repository.write')
|
|
|
|
|
|
for name, perm in items:
|
|
|
check_tree_perms(name, perm, group, 'group.write')
|
|
|
|
|
|
|
|
|
def test_user_permissions_on_group_with_recursive_mode_for_default_user():
|
|
|
|
|
|
# set permission to g0 recursive mode, all children including
|
|
|
# other repos and groups should have this permission now set !
|
|
|
# except the PRIVATE repo which must remain repository.none permissions
|
|
|
# this is exclusive to the default user
|
|
|
recursive = 'all'
|
|
|
group = 'g0'
|
|
|
default_user_id = User.get_default_user_id()
|
|
|
permissions_setup_func(group, 'group.write', recursive=recursive,
|
|
|
user_id=default_user_id)
|
|
|
|
|
|
# change default to get perms for default user
|
|
|
_get_repo_perms = functools.partial(_get_perms, key='repositories',
|
|
|
test_u1_id=default_user_id)
|
|
|
_get_group_perms = functools.partial(_get_perms, key='repositories_groups',
|
|
|
test_u1_id=default_user_id)
|
|
|
|
|
|
repo_items = [x for x in _get_repo_perms(group, recursive)]
|
|
|
items = [x for x in _get_group_perms(group, recursive)]
|
|
|
_check_expected_count(items, repo_items, expected_count(group, True))
|
|
|
|
|
|
for name, perm in repo_items:
|
|
|
check_tree_perms(name, perm, group, 'repository.write', default_user=True)
|
|
|
|
|
|
for name, perm in items:
|
|
|
check_tree_perms(name, perm, group, 'group.write', default_user=True)
|
|
|
|
|
|
|
|
|
def test_user_permissions_on_group_with_recursive_mode_inner_group():
|
|
|
# set permission to g0_3 group to none
|
|
|
recursive = 'all'
|
|
|
group = 'g0/g0_3'
|
|
|
permissions_setup_func(group, 'group.none', recursive=recursive)
|
|
|
|
|
|
repo_items = [x for x in _get_repo_perms(group, recursive)]
|
|
|
items = [x for x in _get_group_perms(group, recursive)]
|
|
|
_check_expected_count(items, repo_items, expected_count(group, True))
|
|
|
|
|
|
for name, perm in repo_items:
|
|
|
check_tree_perms(name, perm, group, 'repository.none')
|
|
|
|
|
|
for name, perm in items:
|
|
|
check_tree_perms(name, perm, group, 'group.none')
|
|
|
|
|
|
|
|
|
def test_user_permissions_on_group_with_recursive_mode_deepest():
|
|
|
# set permission to g0_3 group to none
|
|
|
recursive = 'all'
|
|
|
group = 'g0/g0_1/g0_1_1'
|
|
|
permissions_setup_func(group, 'group.write', recursive=recursive)
|
|
|
|
|
|
repo_items = [x for x in _get_repo_perms(group, recursive)]
|
|
|
items = [x for x in _get_group_perms(group, recursive)]
|
|
|
_check_expected_count(items, repo_items, expected_count(group, True))
|
|
|
|
|
|
for name, perm in repo_items:
|
|
|
check_tree_perms(name, perm, group, 'repository.write')
|
|
|
|
|
|
for name, perm in items:
|
|
|
check_tree_perms(name, perm, group, 'group.write')
|
|
|
|
|
|
|
|
|
def test_user_permissions_on_group_with_recursive_mode_only_with_repos():
|
|
|
# set permission to g0_3 group to none
|
|
|
recursive = 'all'
|
|
|
group = 'g0/g0_2'
|
|
|
permissions_setup_func(group, 'group.admin', recursive=recursive)
|
|
|
|
|
|
repo_items = [x for x in _get_repo_perms(group, recursive)]
|
|
|
items = [x for x in _get_group_perms(group, recursive)]
|
|
|
_check_expected_count(items, repo_items, expected_count(group, True))
|
|
|
|
|
|
for name, perm in repo_items:
|
|
|
check_tree_perms(name, perm, group, 'repository.admin')
|
|
|
|
|
|
for name, perm in items:
|
|
|
check_tree_perms(name, perm, group, 'group.admin')
|
|
|
|
|
|
|
|
|
def test_user_permissions_on_group_with_recursive_repo_mode_for_default_user():
|
|
|
# set permission to g0/g0_1 recursive repos only mode, all children
|
|
|
# including other repos should have this permission now set, inner groups
|
|
|
# are excluded!
|
|
|
recursive = 'repos'
|
|
|
group = 'g0/g0_1'
|
|
|
perm = 'group.none'
|
|
|
default_user_id = User.get_default_user_id()
|
|
|
|
|
|
# TODO: workaround due to different setup calls, adept to py.test style
|
|
|
permissions_setup_func()
|
|
|
permissions_setup_func(group, perm, recursive=recursive,
|
|
|
user_id=default_user_id)
|
|
|
|
|
|
# change default to get perms for default user
|
|
|
_get_repo_perms = functools.partial(_get_perms, key='repositories',
|
|
|
test_u1_id=default_user_id)
|
|
|
_get_group_perms = functools.partial(_get_perms, key='repositories_groups',
|
|
|
test_u1_id=default_user_id)
|
|
|
|
|
|
repo_items = [x for x in _get_repo_perms(group, recursive)]
|
|
|
items = [x for x in _get_group_perms(group, recursive)]
|
|
|
_check_expected_count(items, repo_items, expected_count(group, True))
|
|
|
|
|
|
for name, perm in repo_items:
|
|
|
check_tree_perms(name, perm, group, 'repository.none')
|
|
|
|
|
|
for name, perm in items:
|
|
|
# permission is set with repos only mode, but we also change the
|
|
|
# permission on the group we trigger the apply to children from, thus
|
|
|
# we need to change its permission check
|
|
|
old_perm = 'group.read'
|
|
|
if name == group:
|
|
|
old_perm = perm
|
|
|
check_tree_perms(name, perm, group, old_perm)
|
|
|
|
|
|
|
|
|
def test_user_permissions_on_group_with_recursive_repo_mode_inner_group():
|
|
|
# set permission to g0_3 group to none, with recursive repos only
|
|
|
recursive = 'repos'
|
|
|
group = 'g0/g0_3'
|
|
|
perm = 'group.none'
|
|
|
permissions_setup_func(group, perm, recursive=recursive)
|
|
|
|
|
|
repo_items = [x for x in _get_repo_perms(group, recursive)]
|
|
|
items = [x for x in _get_group_perms(group, recursive)]
|
|
|
_check_expected_count(items, repo_items, expected_count(group, True))
|
|
|
|
|
|
for name, perm in repo_items:
|
|
|
check_tree_perms(name, perm, group, 'repository.none')
|
|
|
|
|
|
for name, perm in items:
|
|
|
# permission is set with repos only mode, but we also change the
|
|
|
# permission on the group we trigger the apply to children from, thus
|
|
|
# we need to change its permission check
|
|
|
old_perm = 'group.read'
|
|
|
if name == group:
|
|
|
old_perm = perm
|
|
|
check_tree_perms(name, perm, group, old_perm)
|
|
|
|
|
|
|
|
|
def test_user_permissions_on_group_with_rec_group_mode_for_default_user():
|
|
|
# set permission to g0/g0_1 with recursive groups only mode, all children
|
|
|
# sincluding other groups should have this permission now set. repositories
|
|
|
# should remain intact as we use groups only mode !
|
|
|
recursive = 'groups'
|
|
|
group = 'g0/g0_1'
|
|
|
default_user_id = User.get_default_user_id()
|
|
|
|
|
|
# TODO: workaround due to different setup calls, adept to py.test style
|
|
|
permissions_setup_func()
|
|
|
permissions_setup_func(group, 'group.write', recursive=recursive,
|
|
|
user_id=default_user_id)
|
|
|
|
|
|
# change default to get perms for default user
|
|
|
_get_repo_perms = functools.partial(_get_perms, key='repositories',
|
|
|
test_u1_id=default_user_id)
|
|
|
_get_group_perms = functools.partial(_get_perms, key='repositories_groups',
|
|
|
test_u1_id=default_user_id)
|
|
|
|
|
|
repo_items = [x for x in _get_repo_perms(group, recursive)]
|
|
|
items = [x for x in _get_group_perms(group, recursive)]
|
|
|
_check_expected_count(items, repo_items, expected_count(group, True))
|
|
|
|
|
|
for name, perm in repo_items:
|
|
|
check_tree_perms(name, perm, group, 'repository.read')
|
|
|
|
|
|
for name, perm in items:
|
|
|
check_tree_perms(name, perm, group, 'group.write')
|
|
|
|
|
|
|
|
|
def test_user_permissions_on_group_with_recursive_group_mode_inner_group():
|
|
|
# set permission to g0_3 group to none, with recursive mode for groups only
|
|
|
recursive = 'groups'
|
|
|
group = 'g0/g0_3'
|
|
|
|
|
|
# TODO: workaround due to different setup calls, adept to py.test style
|
|
|
permissions_setup_func()
|
|
|
permissions_setup_func(group, 'group.none', recursive=recursive)
|
|
|
|
|
|
repo_items = [x for x in _get_repo_perms(group, recursive)]
|
|
|
items = [x for x in _get_group_perms(group, recursive)]
|
|
|
_check_expected_count(items, repo_items, expected_count(group, True))
|
|
|
|
|
|
for name, perm in repo_items:
|
|
|
check_tree_perms(name, perm, group, 'repository.read')
|
|
|
|
|
|
for name, perm in items:
|
|
|
check_tree_perms(name, perm, group, 'group.none')
|
|
|
|