Merge pull request #1447 from coreos-inc/adminuser

Fix user:admin scope handling and add test

auth/permissions.py

@@ -54,6 +54,7 @@ SCOPE_MAX_USER_ROLES = defaultdict(lambda: None)
 SCOPE_MAX_USER_ROLES.update({
   scopes.READ_USER: 'read',
   scopes.DIRECT_LOGIN: 'admin',
+  scopes.ADMIN_USER: 'admin',
 })
 
 def repository_read_grant(namespace, repository):

data/model/oauth.py

@@ -282,9 +282,10 @@ def list_applications_for_org(org):
   return query
 
 
-def create_access_token_for_testing(user_obj, client_id, scope):
+def create_access_token_for_testing(user_obj, client_id, scope, access_token='test'):
   expires_at = datetime.utcnow() + timedelta(seconds=10000)
   application = get_application_for_client_id(client_id)
-  OAuthAccessToken.create(application=application, authorized_user=user_obj, scope=scope,
+  created = OAuthAccessToken.create(application=application, authorized_user=user_obj, scope=scope,
-                          token_type='token', access_token='test',
+                                    token_type='token', access_token=access_token,
-                          expires_at=expires_at, refresh_token='', data='')
+                                    expires_at=expires_at, refresh_token='', data='')
+  return created

test/test_api_usage.py

@@ -141,9 +141,12 @@ class ApiTestCase(unittest.TestCase):
     parsed = py_json.loads(data)
     return parsed
 
-  def postResponse(self, resource_name, params={}, data={}, file=None, expected_code=200):
+  def postResponse(self, resource_name, params={}, data={}, file=None, headers=None,
+                   expected_code=200):
     data = py_json.dumps(data)
-    headers = {"Content-Type": "application/json"}
+
+    headers = headers or {}
+    headers.update({"Content-Type": "application/json"})
 
     if file is not None:
       data = {'file': file}
@@ -801,6 +804,37 @@ class TestCreateOrganization(ApiTestCase):
     self.assertEquals(True, json['is_admin'])
 
 
+  def test_createorg_viaoauth(self):
+    # Attempt with no auth.
+    self.postResponse(OrganizationList,
+                      data=dict(name='neworg',
+                                email='testorg@example.com'),
+                      expected_code=401)
+
+    # Attempt with auth with invalid scope.
+    dt_user = model.user.get_user(ADMIN_ACCESS_USER)
+    token = model.oauth.create_access_token_for_testing(dt_user, 'deadbeef', 'repo:read',
+                                                        access_token='foo')
+    self.postResponse(OrganizationList,
+                      data=dict(name='neworg',
+                                email='testorg@example.com'),
+                      headers=dict(Authorization='Bearer ' + token.access_token),
+                      expected_code=403)
+
+
+    # Create OAuth token with user:admin scope.
+    token = model.oauth.create_access_token_for_testing(dt_user, 'deadbeef', 'user:admin',
+                                                        access_token='bar')
+
+    data = self.postResponse(OrganizationList,
+                             data=dict(name='neworg',
+                                       email='testorg@example.com'),
+                             headers=dict(Authorization='Bearer ' + token.access_token),
+                             expected_code=201)
+
+    self.assertEquals('"Created"', data)
+
+
 class TestGetOrganization(ApiTestCase):
   def test_unknownorg(self):
     self.login(ADMIN_ACCESS_USER)