Add ability to enable, disable and view team syncing in UI and API

Also extracts out some common testing infrastructure to make testing APIs easier now using pytest

endpoints/api/team.py

@@ -1,5 +1,7 @@
 """ Create, list and manage an organization's teams. """
 
+import json
+
 from functools import wraps
 
 from flask import request
@@ -7,13 +9,16 @@ from flask import request
 import features
 
 from app import avatar, authentication
-from auth.permissions import AdministerOrganizationPermission, ViewTeamPermission
+from auth.permissions import (AdministerOrganizationPermission, ViewTeamPermission,
+                              SuperUserPermission)
+
 from auth.auth_context import get_authenticated_user
 from auth import scopes
 from data import model
 from endpoints.api import (resource, nickname, ApiResource, validate_json_request, request_error,
                            log_action, internal_only, require_scope, path_param, query_param,
-                           truthy_bool, parse_args, require_user_admin, show_if, format_date)
+                           truthy_bool, parse_args, require_user_admin, show_if, format_date,
+                           verify_not_prod, require_fresh_login)
 from endpoints.exception import Unauthorized, NotFound, InvalidRequest
 from util.useremails import send_org_invite_email
 from util.names import parse_robot_username
@@ -200,6 +205,57 @@ class OrganizationTeam(ApiResource):
     raise Unauthorized()
 
 
+@resource('/v1/organization/<orgname>/team/<teamname>/syncing')
+@path_param('orgname', 'The name of the organization')
+@path_param('teamname', 'The name of the team')
+class OrganizationTeamSyncing(ApiResource):
+  """ Resource for managing syncing of a team by a backing group. """
+  @require_scope(scopes.ORG_ADMIN)
+  @require_scope(scopes.SUPERUSER)
+  @nickname('enableOrganizationTeamSync')
+  @verify_not_prod
+  @require_fresh_login
+  def post(self, orgname, teamname):
+    # User must be both the org admin AND a superuser.
+    if SuperUserPermission().can() and AdministerOrganizationPermission(orgname).can():
+      try:
+        team = model.team.get_organization_team(orgname, teamname)
+      except model.InvalidTeamException:
+        raise NotFound()
+
+      config = request.get_json()
+
+      # Ensure that the specified config points to a valid group.
+      status, err = authentication.check_group_lookup_args(config)
+      if not status:
+        raise InvalidRequest('Could not sync to group: %s' % err)
+
+      # Set the team's syncing config.
+      model.team.set_team_syncing(team, authentication.federated_service, config)
+
+      return team_view(orgname, team)
+
+    raise Unauthorized()
+
+  @require_scope(scopes.ORG_ADMIN)
+  @require_scope(scopes.SUPERUSER)
+  @nickname('disableOrganizationTeamSync')
+  @verify_not_prod
+  @require_fresh_login
+  def delete(self, orgname, teamname):
+    # User must be both the org admin AND a superuser.
+    if SuperUserPermission().can() and AdministerOrganizationPermission(orgname).can():
+      try:
+        team = model.team.get_organization_team(orgname, teamname)
+      except model.InvalidTeamException:
+        raise NotFound()
+
+      model.team.remove_team_syncing(orgname, teamname)
+      return team_view(orgname, team)
+
+    raise Unauthorized()
+
+
 @resource('/v1/organization/<orgname>/team/<teamname>/members')
 @path_param('orgname', 'The name of the organization')
 @path_param('teamname', 'The name of the team')
@@ -231,16 +287,28 @@ class TeamMemberList(ApiResource):
       data = {
         'name': teamname,
         'members': [member_view(m) for m in members] + [invite_view(i) for i in invites],
-        'can_edit': edit_permission.can()
+        'can_edit': edit_permission.can(),
       }
 
-      sync_info = model.team.get_team_sync_information(orgname, teamname)
-      if sync_info is not None:
-        data['synced'] = {
-          'last_updated': format_date(sync_info.last_updated),
-          'service': sync_info.service.name,
-          'config': sync_info.config,
-        }
+      if authentication.federated_service:
+        if SuperUserPermission().can():
+          data['can_sync'] = {
+            'service': authentication.federated_service,
+          }
+
+          data['can_sync'].update(authentication.service_metadata())
+
+        sync_info = model.team.get_team_sync_information(orgname, teamname)
+        if sync_info is not None:
+          data['synced'] = {
+            'service': sync_info.service.name,
+          }
+
+          if SuperUserPermission().can():
+            data['synced'].update({
+              'last_updated': format_date(sync_info.last_updated),
+              'config': json.loads(sync_info.config),
+            })
 
       return data
 

endpoints/api/test/shared.py

@@ -2,15 +2,12 @@ import datetime
 import json
 
 from contextlib import contextmanager
-
 from data import model
 from endpoints.api import api
 
 CSRF_TOKEN_KEY = '_csrf_token'
 CSRF_TOKEN = '123csrfforme'
 
-
-@contextmanager
 def client_with_identity(auth_username, client):
   with client.session_transaction() as sess:
     if auth_username and auth_username is not None:

endpoints/api/test/test_security.py

@@ -1,14 +1,26 @@
 import pytest
 
+from endpoints.api import api
+from endpoints.api.team import OrganizationTeamSyncing
 from endpoints.api.test.shared import client_with_identity, conduct_api_call
 from endpoints.api.superuser import SuperUserRepositoryBuildLogs, SuperUserRepositoryBuildResource
 from endpoints.api.superuser import SuperUserRepositoryBuildStatus
-from test.fixtures import app, appconfig, database_uri, init_db_path, sqlitedb_file
+from endpoints.test.fixtures import app, appconfig, database_uri, init_db_path, sqlitedb_file
 
 TEAM_PARAMS = {'orgname': 'buynlarge', 'teamname': 'owners'}
 BUILD_PARAMS = {'build_uuid': 'test-1234'}
 
 @pytest.mark.parametrize('resource,method,params,body,identity,expected', [
+  (OrganizationTeamSyncing, 'POST', TEAM_PARAMS, {}, None, 403),
+  (OrganizationTeamSyncing, 'POST', TEAM_PARAMS, {}, 'freshuser', 403),
+  (OrganizationTeamSyncing, 'POST', TEAM_PARAMS, {}, 'reader', 403),
+  (OrganizationTeamSyncing, 'POST', TEAM_PARAMS, {}, 'devtable', 400),
+
+  (OrganizationTeamSyncing, 'DELETE', TEAM_PARAMS, {}, None, 403),
+  (OrganizationTeamSyncing, 'DELETE', TEAM_PARAMS, {}, 'freshuser', 403),
+  (OrganizationTeamSyncing, 'DELETE', TEAM_PARAMS, {}, 'reader', 403),
+  (OrganizationTeamSyncing, 'DELETE', TEAM_PARAMS, {}, 'devtable', 200),
+
   (SuperUserRepositoryBuildLogs, 'GET', BUILD_PARAMS, None, None, 401),
   (SuperUserRepositoryBuildLogs, 'GET', BUILD_PARAMS, None, 'freshuser', 403),
   (SuperUserRepositoryBuildLogs, 'GET', BUILD_PARAMS, None, 'reader', 403),

endpoints/api/test/test_team.py

@@ -0,0 +1,35 @@
+import json
+
+from mock import patch
+
+from data import model
+from endpoints.api import api
+from endpoints.api.test.shared import client_with_identity, conduct_api_call
+from endpoints.api.team import OrganizationTeamSyncing
+from test.test_ldap import mock_ldap
+
+TEAM_PARAMS = {'orgname': 'buynlarge', 'teamname': 'owners'}
+
+def test_team_syncing(client):
+  with mock_ldap() as ldap:
+    with patch('endpoints.api.team.authentication', ldap):
+      cl = client_with_identity('devtable', client)
+      config = {
+        'group_dn': 'cn=AwesomeFolk',
+      }
+
+      conduct_api_call(cl, OrganizationTeamSyncing, 'POST', TEAM_PARAMS, config)
+
+      # Ensure the team is now synced.
+      sync_info = model.team.get_team_sync_information(TEAM_PARAMS['orgname'],
+                                                       TEAM_PARAMS['teamname'])
+      assert sync_info is not None
+      assert json.loads(sync_info.config) == config
+
+      # Remove the syncing.
+      conduct_api_call(cl, OrganizationTeamSyncing, 'DELETE', TEAM_PARAMS, None)
+
+      # Ensure the team is no longer synced.
+      sync_info = model.team.get_team_sync_information(TEAM_PARAMS['orgname'],
+                                                       TEAM_PARAMS['teamname'])
+      assert sync_info is None