The superuser capability does not require the idea of ordinality since it is a binary permission.
This commit is contained in:
Jake Moshenko
parent
87efcb9e3d
commit
7b470237a1
2 changed files with 47 additions and 15 deletions
|
|
@ -27,7 +27,7 @@ _SuperUserNeed = partial(namedtuple('superuserneed', ['type']), 'superuser')
|
|||
|
||||
REPO_ROLES = [None, 'read', 'write', 'admin']
|
||||
TEAM_ROLES = [None, 'member', 'creator', 'admin']
|
||||
USER_ROLES = [None, 'read', 'admin', 'superuser']
|
||||
USER_ROLES = [None, 'read', 'admin']
|
||||
|
||||
TEAM_REPO_ROLES = {
|
||||
'admin': 'admin',
|
||||
|
|
@ -54,10 +54,8 @@ SCOPE_MAX_USER_ROLES = defaultdict(lambda: None)
|
|||
SCOPE_MAX_USER_ROLES.update({
|
||||
scopes.READ_USER: 'read',
|
||||
scopes.DIRECT_LOGIN: 'admin',
|
||||
scopes.SUPERUSER: 'superuser',
|
||||
})
|
||||
|
||||
|
||||
def repository_read_grant(namespace, repository):
|
||||
return _RepositoryNeed(namespace, repository, 'read')
|
||||
|
||||
|
|
@ -106,22 +104,14 @@ class QuayDeferredPermissionUser(Identity):
|
|||
|
||||
def can(self, permission):
|
||||
if not self._permissions_loaded:
|
||||
logger.debug('Loading user permissions after deferring.')
|
||||
logger.debug('Loading user permissions after deferring for: %s', self.id)
|
||||
user_object = self._user_object or model.get_user_by_uuid(self.id)
|
||||
if user_object is None:
|
||||
return super(QuayDeferredPermissionUser, self).can(permission)
|
||||
|
||||
if user_object is None:
|
||||
return super(QuayDeferredPermissionUser, self).can(permission)
|
||||
|
||||
# Add the superuser need, if applicable:
|
||||
# - If the user's role is an admin (direct login) and they are a superuser
|
||||
# - If the user has granted the superuser scope
|
||||
superuser_role = self._user_role_for_scopes('superuser')
|
||||
|
||||
if superuser_role == 'admin' and superusers.is_superuser(user_object.username):
|
||||
self.provides.add(_SuperUserNeed())
|
||||
elif superuser_role == 'superuser':
|
||||
if ((scopes.SUPERUSER in self._scope_set or scopes.DIRECT_LOGIN in self._scope_set) and
|
||||
superusers.is_superuser(user_object.username)):
|
||||
logger.debug('Adding superuser to user: %s', user_object.username)
|
||||
self.provides.add(_SuperUserNeed())
|
||||
|
||||
# Add the user specific permissions, only for non-oauth permission
|
||||
|
|
|
|||
42
test/test_permissions.py
Normal file
42
test/test_permissions.py
Normal file
|
|
@ -0,0 +1,42 @@
|
|||
import unittest
|
||||
|
||||
from app import app
|
||||
|
||||
from data import model
|
||||
from auth import scopes
|
||||
from auth.permissions import SuperUserPermission, QuayDeferredPermissionUser
|
||||
from initdb import setup_database_for_testing, finished_database_for_testing
|
||||
|
||||
|
||||
SUPER_USERNAME = 'devtable'
|
||||
UNSUPER_USERNAME = 'freshuser'
|
||||
|
||||
|
||||
class TestSuperUserOps(unittest.TestCase):
|
||||
def setUp(self):
|
||||
setup_database_for_testing(self)
|
||||
self._su = model.get_user(SUPER_USERNAME)
|
||||
self._normie = model.get_user(UNSUPER_USERNAME)
|
||||
|
||||
def tearDown(self):
|
||||
finished_database_for_testing(self)
|
||||
|
||||
def test_superuser_matrix(self):
|
||||
import logging
|
||||
logging.basicConfig(level=logging.DEBUG)
|
||||
|
||||
test_cases = [
|
||||
(self._su, {scopes.SUPERUSER}, True),
|
||||
(self._su, {scopes.DIRECT_LOGIN}, True),
|
||||
(self._su, {scopes.READ_USER, scopes.SUPERUSER}, True),
|
||||
(self._su, {scopes.READ_USER}, False),
|
||||
(self._normie, {scopes.SUPERUSER}, False),
|
||||
(self._normie, {scopes.DIRECT_LOGIN}, False),
|
||||
(self._normie, {scopes.READ_USER, scopes.SUPERUSER}, False),
|
||||
(self._normie, {scopes.READ_USER}, False),
|
||||
]
|
||||
|
||||
for user_obj, scope_set, expected in test_cases:
|
||||
perm_user = QuayDeferredPermissionUser.for_user(user_obj, scope_set)
|
||||
has_su = perm_user.can(SuperUserPermission())
|
||||
self.assertEquals(has_su, expected)
|
||||
Reference in a new issue