Changeset - 797767469152
Parent rev.
Child rev.
[Not reviewed]
stable
0 1 0
Mads Kiilerich - 6 years ago 2020-04-30 14:42:12
mads@kiilerich.com
tests: simplify test_permissions.py - don't create temporary 'perms' dict
1 file changed with 10 insertions and 44 deletions:
kallithea/tests/models/test_permissions.py
10
44
0 comments (0 inline, 0 general)
kallithea/tests/models/test_permissions.py
Show inline comments
 
from kallithea.lib.auth import AuthUser
 
from kallithea.model import db
 
from kallithea.model.db import Permission, User, UserGroupRepoGroupToPerm, UserToPerm
 
from kallithea.model.meta import Session
 
from kallithea.model.permission import PermissionModel
 
from kallithea.model.repo import RepoModel
 
from kallithea.model.repo_group import RepoGroupModel
 
from kallithea.model.user import UserModel
 
from kallithea.model.user_group import UserGroupModel
 
from kallithea.tests import base
 
from kallithea.tests.fixture import Fixture
 

			




	
	
	
		
 

			




	
	
	
		
 
fixture = Fixture()

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
class TestPermissions(base.TestController):

			




	
	
	
		
 

			




	
	
	
		
 
    @classmethod

			




	
	
	
		
 
    def setup_class(cls):

			




	
	
	
		
 
        # recreate default user to get a clean start

			




	
	
	
		
 
        PermissionModel().create_default_permissions(user=User.DEFAULT_USER_NAME,

			




	
	
	
		
 
                                                     force=True)

			




	
	
	
		
 
        Session().commit()

			




	
	
	
		
 

			




	
	
	
		
 
    def setup_method(self, method):

			




	
	
	
		
 
        self.u1 = UserModel().create_or_update(

			




	
	
	
		
 
            username='u1', password='qweqwe',

			




	
	
	
		
 
            email='u1@example.com', firstname='u1', lastname='u1'

			




	
	
	
		
 
        )

			




	
	
	
		
 
        self.u2 = UserModel().create_or_update(

			




	
	
	
		
 
            username='u2', password='qweqwe',

			




	
	
	
		
 
            email='u2@example.com', firstname='u2', lastname='u2'

			




	
	
	
		
 
        )

			




	
	
	
		
 
        self.u3 = UserModel().create_or_update(

			




	
	
	
		
 
            username='u3', password='qweqwe',

			




	
	
	
		
 
            email='u3@example.com', firstname='u3', lastname='u3'

			




	
	
	
		
 
        )

			




	
	
	
		
 
        self.anon = User.get_default_user()

			




	
	
	
		
 
        self.a1 = UserModel().create_or_update(

			




	
	
	
		
 
            username='a1', password='qweqwe',

			




	
	
	
		
 
            email='a1@example.com', firstname='a1', lastname='a1', admin=True

			




	
	
	
		
 
        )

			




	
	
	
		
 
        Session().commit()

			




	
	
	
		
 

			




	
	
	
		
 
    def teardown_method(self, method):

			




	
	
	
		
 
        if hasattr(self, 'test_repo'):

			




	
	
	
		
 
            RepoModel().delete(repo=self.test_repo)

			




	
	
	
		
 

			




	
	
	
		
 
        UserModel().delete(self.u1)

			




	
	
	
		
 
        UserModel().delete(self.u2)

			




	
	
	
		
 
        UserModel().delete(self.u3)

			




	
	
	
		
 
        UserModel().delete(self.a1)

			




	
	
	
		
 

			




	
	
	
		
 
        Session().commit() # commit early to avoid SQLAlchemy warning from double cascade delete to users_groups_members

			




	
	
	
		
 

			




	
	
	
		
 
        if hasattr(self, 'g1'):

			




	
	
	
		
 
            RepoGroupModel().delete(self.g1.group_id)

			




	
	
	
		
 
        if hasattr(self, 'g2'):

			




	
	
	
		
 
            RepoGroupModel().delete(self.g2.group_id)

			




	
	
	
		
 

			




	
	
	
		
 
        if hasattr(self, 'ug2'):

			




	
	
	
		
 
            UserGroupModel().delete(self.ug2, force=True)

			




	
	
	
		
 
        if hasattr(self, 'ug1'):

			




	
	
	
		
 
            UserGroupModel().delete(self.ug1, force=True)

			




	
	
	
		
 

			




	
	
	
		
 
        Session().commit()

			




	
	
	
		
 

			




	
	
	
		
 
    def test_default_perms_set(self):

			




	
	
	
		
 
        u1_auth = AuthUser(user_id=self.u1.user_id)

			




	
	
	
		
 
        perms = {

			




	
	
	
		
 
            'repositories_groups': {},

			




	
	
	
		
 
            'global': set(['hg.create.repository', 'repository.read',

			




	
	
	
		
 
                           'hg.register.manual_activate']),

			




	
	
	
		
 
            'repositories': {base.HG_REPO: 'repository.read'}

			




	
	
	
		
 
        }

			




	
	
	
		
 
        assert u1_auth.permissions['repositories'][base.HG_REPO] == perms['repositories'][base.HG_REPO]

			




	
	
	
		
 
        assert u1_auth.permissions['repositories'][base.HG_REPO] == 'repository.read'

			




	
	
	
		
 
        new_perm = 'repository.write'

			




	
	
	
		
 
        RepoModel().grant_user_permission(repo=base.HG_REPO, user=self.u1,

			




	
	
	
		
 
                                          perm=new_perm)

			




	
	
	
		
 
        Session().commit()

			




	
	
	
		
 

			




	
	
	
		
 
        u1_auth = AuthUser(user_id=self.u1.user_id)

			




	
	
	
		
 
        assert u1_auth.permissions['repositories'][base.HG_REPO] == new_perm

			




	
	
	
		
 

			




	
	
	
		
 
    def test_default_admin_perms_set(self):

			




	
	
	
		
 
        a1_auth = AuthUser(user_id=self.a1.user_id)

			




	
	
	
		
 
        perms = {

			




	
	
	
		
 
            'repositories_groups': {},

			




	
	
	
		
 
            'global': set(['hg.admin', 'hg.create.write_on_repogroup.true']),

			




	
	
	
		
 
            'repositories': {base.HG_REPO: 'repository.admin'}

			




	
	
	
		
 
        }

			




	
	
	
		
 
        assert a1_auth.permissions['repositories'][base.HG_REPO] == perms['repositories'][base.HG_REPO]

			




	
	
	
		
 
        assert a1_auth.permissions['repositories'][base.HG_REPO] == 'repository.admin'

			




	
	
	
		
 
        new_perm = 'repository.write'

			




	
	
	
		
 
        RepoModel().grant_user_permission(repo=base.HG_REPO, user=self.a1,

			




	
	
	
		
 
                                          perm=new_perm)

			




	
	
	
		
 
        Session().commit()

			




	
	
	
		
 
        # cannot really downgrade admins permissions !? they still gets set as

			




	
	
	
		
 
        # admin !

			




	
	
	
		
 
        u1_auth = AuthUser(user_id=self.a1.user_id)

			




	
	
	
		
 
        assert u1_auth.permissions['repositories'][base.HG_REPO] == perms['repositories'][base.HG_REPO]

			




	
	
	
		
 
        assert u1_auth.permissions['repositories'][base.HG_REPO] == 'repository.admin'

			




	
	
	
		
 

			




	
	
	
		
 
    def test_default_group_perms(self):

			




	
	
	
		
 
        self.g1 = fixture.create_repo_group('test1', skip_if_exists=True)

			




	
	
	
		
 
        self.g2 = fixture.create_repo_group('test2', skip_if_exists=True)

			




	
	
	
		
 
        u1_auth = AuthUser(user_id=self.u1.user_id)

			




	
	
	
		
 
        perms = {

			




	
	
	
		
 
            'repositories_groups': {'test1': 'group.read', 'test2': 'group.read'},

			




	
	
	
		
 
            'global': set(Permission.DEFAULT_USER_PERMISSIONS),

			




	
	
	
		
 
            'repositories': {base.HG_REPO: 'repository.read'}

			




	
	
	
		
 
        }

			




	
	
	
		
 
        assert u1_auth.permissions['repositories'][base.HG_REPO] == perms['repositories'][base.HG_REPO]

			




	
	
	
		
 
        assert u1_auth.permissions['repositories_groups'] == perms['repositories_groups']

			




	
	
	
		
 
        assert u1_auth.permissions['global'] == perms['global']

			




	
	
	
		
 
        assert u1_auth.permissions['repositories'][base.HG_REPO] == 'repository.read'

			




	
	
	
		
 
        assert u1_auth.permissions['repositories_groups'] == {'test1': 'group.read', 'test2': 'group.read'}

			




	
	
	
		
 
        assert u1_auth.permissions['global'] == set(Permission.DEFAULT_USER_PERMISSIONS)

			




	
	
	
		
 

			




	
	
	
		
 
    def test_default_admin_group_perms(self):

			




	
	
	
		
 
        self.g1 = fixture.create_repo_group('test1', skip_if_exists=True)

			




	
	
	
		
 
        self.g2 = fixture.create_repo_group('test2', skip_if_exists=True)

			




	
	
	
		
 
        a1_auth = AuthUser(user_id=self.a1.user_id)

			




	
	
	
		
 
        perms = {

			




	
	
	
		
 
            'repositories_groups': {'test1': 'group.admin', 'test2': 'group.admin'},

			




	
	
	
		
 
            'global': set(['hg.admin', 'hg.create.write_on_repogroup.true']),

			




	
	
	
		
 
            'repositories': {base.HG_REPO: 'repository.admin'}

			




	
	
	
		
 
        }

			




	
	
	
		
 

			




	
	
	
		
 
        assert a1_auth.permissions['repositories'][base.HG_REPO] == perms['repositories'][base.HG_REPO]

			




	
	
	
		
 
        assert a1_auth.permissions['repositories_groups'] == perms['repositories_groups']

			




	
	
	
		
 
        assert a1_auth.permissions['repositories'][base.HG_REPO] == 'repository.admin'

			




	
	
	
		
 
        assert a1_auth.permissions['repositories_groups'] == {'test1': 'group.admin', 'test2': 'group.admin'}

			




	
	
	
		
 

			




	
	
	
		
 
    def test_propagated_permission_from_users_group_by_explicit_perms_exist(self):

			




	
	
	
		
 
        # make group

			




	
	
	
		
 
        self.ug1 = fixture.create_user_group('G1')

			




	
	
	
		
 
        UserGroupModel().add_user_to_group(self.ug1, self.u1)

			




	
	
	
		
 

			




	
	
	
		
 
        # set user permission none

			




	
	
	
		
 
        RepoModel().grant_user_permission(repo=base.HG_REPO, user=self.u1, perm='repository.none')

			




	
	
	
		
 
        Session().commit()

			




	
	
	
		
 
        u1_auth = AuthUser(user_id=self.u1.user_id)

			




	
	
	
		
 
        assert u1_auth.permissions['repositories'][base.HG_REPO] == 'repository.read' # inherit from default user

			




	
	
	
		
 

			




	
	
	
		
 
        # grant perm for group this should override permission from user

			




	
	
	
		
 
        RepoModel().grant_user_group_permission(repo=base.HG_REPO,

			




	
	
	
		
 
                                                 group_name=self.ug1,

			




	
	
	
		
 
                                                 perm='repository.write')

			




	
	
	
		
 

			




	
	
	
		
 
        # verify that user group permissions win

			




	
	
	
		
 
        u1_auth = AuthUser(user_id=self.u1.user_id)

			




	
	
	
		
 
        assert u1_auth.permissions['repositories'][base.HG_REPO] == 'repository.write'

			




	
	
	
		
 

			




	
	
	
		
 
    def test_propagated_permission_from_users_group(self):

			




	
	
	
		
 
        # make group

			




	
	
	
		
 
        self.ug1 = fixture.create_user_group('G1')

			




	
	
	
		
 
        UserGroupModel().add_user_to_group(self.ug1, self.u3)

			




	
	
	
		
 

			




	
	
	
		
 
        # grant perm for group this should override default permission from user

			




	
	
	
		
 
        new_perm_gr = 'repository.write'

			




	
	
	
		
 
        RepoModel().grant_user_group_permission(repo=base.HG_REPO,

			




	
	
	
		
 
                                                 group_name=self.ug1,

			




	
	
	
		
 
                                                 perm=new_perm_gr)

			




	
	
	
		
 
        # check perms

			




	
	
	
		
 
        u3_auth = AuthUser(user_id=self.u3.user_id)

			




	
	
	
		
 
        perms = {

			




	
	
	
		
 
            'repositories_groups': {},

			




	
	
	
		
 
            'global': set(['hg.create.repository', 'repository.read',

			




	
	
	
		
 
                           'hg.register.manual_activate']),

			




	
	
	
		
 
            'repositories': {base.HG_REPO: 'repository.read'}

			




	
	
	
		
 
        }

			




	
	
	
		
 
        assert u3_auth.permissions['repositories'][base.HG_REPO] == new_perm_gr

			




	
	
	
		
 
        assert u3_auth.permissions['repositories_groups'] == perms['repositories_groups']

			




	
	
	
		
 
        assert u3_auth.permissions['repositories_groups'] == {}  # note: it is unclear which repo group we are happy to not see here ...

			




	
	
	
		
 

			




	
	
	
		
 
    def test_propagated_permission_from_users_group_lower_weight(self):

			




	
	
	
		
 
        # make group

			




	
	
	
		
 
        self.ug1 = fixture.create_user_group('G1')

			




	
	
	
		
 
        # add user to group

			




	
	
	
		
 
        UserGroupModel().add_user_to_group(self.ug1, self.u1)

			




	
	
	
		
 

			




	
	
	
		
 
        # set permission to lower

			




	
	
	
		
 
        new_perm_h = 'repository.write'

			




	
	
	
		
 
        RepoModel().grant_user_permission(repo=base.HG_REPO, user=self.u1,

			




	
	
	
		
 
                                          perm=new_perm_h)

			




	
	
	
		
 
        Session().commit()

			




	
	
	
		
 
        u1_auth = AuthUser(user_id=self.u1.user_id)

			




	
	
	
		
 
        assert u1_auth.permissions['repositories'][base.HG_REPO] == new_perm_h

			




	
	
	
		
 

			




	
	
	
		
 
        # grant perm for group this should NOT override permission from user

			




	
	
	
		
 
        # since it's lower than granted

			




	
	
	
		
 
        new_perm_l = 'repository.read'

			




	
	
	
		
 
        RepoModel().grant_user_group_permission(repo=base.HG_REPO,

			




	
	
	
		
 
                                                 group_name=self.ug1,

			




	
	
	
		
 
                                                 perm=new_perm_l)

			




	
	
	
		
 
        # check perms

			




	
	
	
		
 
        u1_auth = AuthUser(user_id=self.u1.user_id)

			




	
	
	
		
 
        perms = {

			




	
	
	
		
 
            'repositories_groups': {},

			




	
	
	
		
 
            'global': set(['hg.create.repository', 'repository.read',

			




	
	
	
		
 
                           'hg.register.manual_activate']),

			




	
	
	
		
 
            'repositories': {base.HG_REPO: 'repository.write'}

			




	
	
	
		
 
        }

			




	
	
	
		
 
        assert u1_auth.permissions['repositories'][base.HG_REPO] == new_perm_h

			




	
	
	
		
 
        assert u1_auth.permissions['repositories_groups'] == perms['repositories_groups']

			




	
	
	
		
 
        assert u1_auth.permissions['repositories_groups'] == {}  # note: it is unclear which repo group we are happy to not see here ...

			




	
	
	
		
 

			




	
	
	
		
 
    def test_repo_in_group_permissions(self):

			




	
	
	
		
 
        self.g1 = fixture.create_repo_group('group1', skip_if_exists=True)

			




	
	
	
		
 
        self.g2 = fixture.create_repo_group('group2', skip_if_exists=True)

			




	
	
	
		
 
        # both perms should be read !

			




	
	
	
		
 
        u1_auth = AuthUser(user_id=self.u1.user_id)

			




	
	
	
		
 
        assert u1_auth.permissions['repositories_groups'] == {'group1': 'group.read', 'group2': 'group.read'}

			




	
	
	
		
 

			




	
	
	
		
 
        a1_auth = AuthUser(user_id=self.anon.user_id)

			




	
	
	
		
 
        assert a1_auth.permissions['repositories_groups'] == {'group1': 'group.read', 'group2': 'group.read'}

			




	
	
	
		
 

			




	
	
	
		
 
        # Change perms to none for both groups

			




	
	
	
		
 
        RepoGroupModel().grant_user_permission(repo_group=self.g1,

			




	
	
	
		
 
                                               user=self.anon,

			




	
	
	
		
 
                                               perm='group.none')

			




	
	
	
		
 
        RepoGroupModel().grant_user_permission(repo_group=self.g2,

			




	
	
	
		
 
                                               user=self.anon,

			




	
	
	
		
 
                                               perm='group.none')

			




	
	
	
		
 

			




	
	
	
		
 
        u1_auth = AuthUser(user_id=self.u1.user_id)

			




	
	
	
		
 
        assert u1_auth.permissions['repositories_groups'] == {'group1': 'group.none', 'group2': 'group.none'}

			




	
	
	
		
 

			




	
	
	
		
 
        a1_auth = AuthUser(user_id=self.anon.user_id)

			




	
	
	
		
 
        assert a1_auth.permissions['repositories_groups'] == {'group1': 'group.none', 'group2': 'group.none'}

			




	
	
	
		
 

			




	
	
	
		
 
        # add repo to group

			




	
	
	
		
 
        name = db.URL_SEP.join([self.g1.group_name, 'test_perm'])

			




	
	
	
		
 
        self.test_repo = fixture.create_repo(name=name,

			




	
	
	
		
 
                                             repo_type='hg',

			




	
	
	
		
 
                                             repo_group=self.g1,

			




	
	
	
		
 
                                             cur_user=self.u1,)

			




	
	
	
		
 

			




	
	
	
		
 
        u1_auth = AuthUser(user_id=self.u1.user_id)

			




	
	
	
		
 
        assert u1_auth.permissions['repositories_groups'] == {'group1': 'group.none', 'group2': 'group.none'}

			




	
	
	
		
 

			




	
	
	
		
 
        a1_auth = AuthUser(user_id=self.anon.user_id)

			




	
	
	
		
 
        assert a1_auth.permissions['repositories_groups'] == {'group1': 'group.none', 'group2': 'group.none'}

			




	
	
	
		
 

			




	
	
	
		
 
        # grant permission for u2 !

			




	
	
	
		
 
        RepoGroupModel().grant_user_permission(repo_group=self.g1, user=self.u2,

			




	
	
	
		
 
                                               perm='group.read')

			




	
	
	
		
 
        RepoGroupModel().grant_user_permission(repo_group=self.g2, user=self.u2,

			




	
	
	
		
 
                                               perm='group.read')

			




	
	
	
		
 
        Session().commit()

			




	
	
	
		
 
        assert self.u1 != self.u2

			




	
	
	
		
 
        # u1 and anon should have not change perms while u2 should !

			




	
	
	
		
 
        u1_auth = AuthUser(user_id=self.u1.user_id)

			




	
	
	
		
 
        assert u1_auth.permissions['repositories_groups'] == {'group1': 'group.none', 'group2': 'group.none'}

			




	
	
	
		
 

			




	
	
	
		
 
        u2_auth = AuthUser(user_id=self.u2.user_id)

			




	
	
	
		
 
        assert u2_auth.permissions['repositories_groups'] == {'group1': 'group.read', 'group2': 'group.read'}

			




	
	
	
		
 

			




	
	
	
		
 
        a1_auth = AuthUser(user_id=self.anon.user_id)

			




	
	
	
		
 
        assert a1_auth.permissions['repositories_groups'] == {'group1': 'group.none', 'group2': 'group.none'}

			




	
	
	
		
 

			




	
	
	
		
 
    def test_repo_group_user_as_user_group_member(self):

			




	
	
	
		
 
        # create Group1

			




	
	
	
		
 
        self.g1 = fixture.create_repo_group('group1', skip_if_exists=True)

			




	
	
	
		
 
        a1_auth = AuthUser(user_id=self.anon.user_id)

			




	
	
	
		
 

			




	
	
	
		
 
        assert a1_auth.permissions['repositories_groups'] == {'group1': 'group.read'}

			




	
	
	
		
 

			




	
	
	
		
 
        # set default permission to none

			




	
	
	
		
 
        RepoGroupModel().grant_user_permission(repo_group=self.g1,

			




	
	
	
		
 
                                               user=self.anon,

			




	
	
	
		
 
                                               perm='group.none')

			




	
	
	
		
 
        # make group

			




	
	
	
		
 
        self.ug1 = fixture.create_user_group('G1')

			




	
	
	
		
 
        # add user to group

			




	
	
	
		
 
        UserGroupModel().add_user_to_group(self.ug1, self.u1)

			




	
	
	
		
 
        Session().commit()

			




	
	
	
		
 

			




	
	
	
		
 
        # check if user is in the group

			




	
	
	
		
 
        members = [x.user_id for x in UserGroupModel().get(self.ug1.users_group_id).members]

			




	
	
	
		
 
        assert members == [self.u1.user_id]

			




	
	
	
		
 
        # add some user to that group

			




	
	
	
		
 

			




	
	
	
		
 
        # check his permissions

			




	
	
	
		
 
        a1_auth = AuthUser(user_id=self.anon.user_id)

			




	
	
	
		
 
        assert a1_auth.permissions['repositories_groups'] == {'group1': 'group.none'}

			




	
	
	
		
 

			




	
	
	
		
 
        u1_auth = AuthUser(user_id=self.u1.user_id)

			




	
	
	
		
 
        assert u1_auth.permissions['repositories_groups'] == {'group1': 'group.none'}

			




	
	
	
		
 

			




	
	
	
		
 
        # grant ug1 read permissions for

			




	
	
	
		
 
        RepoGroupModel().grant_user_group_permission(repo_group=self.g1,

			




	
	
	
		
 
                                                      group_name=self.ug1,

			




	
	
	
		
 
                                                      perm='group.read')

			




	
	
	
		
 
        Session().commit()

			




	
	
	
		
 
        # check if the

			




	
	
	
		
 
        obj = Session().query(UserGroupRepoGroupToPerm) \

			




	
	
	
		
 
            .filter(UserGroupRepoGroupToPerm.group == self.g1) \

			




	
	
	
		
 
            .filter(UserGroupRepoGroupToPerm.users_group == self.ug1) \

			




	
	
	
		
 
            .scalar()

			




	
	
	
		
 
        assert obj.permission.permission_name == 'group.read'

			




	
	
	
		
 

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.