Merge pull request #2813 from coreos-inc/joseph.schorr/QUAY-701/team-sync-nonsuperuser

Add option for self-service team synchronization
2017-07-21 12:58:29 -04:00 · 2017-07-21 12:58:29 -04:00 · 94d516a2c8
commit 94d516a2c8
parent 009ca829e8 ec71d787af
5 changed files with 63 additions and 6 deletions
--- a/endpoints/api/team.py
+++ b/endpoints/api/team.py
@ -209,6 +209,14 @@ class OrganizationTeam(ApiResource):
    raise Unauthorized()


+def _syncing_setup_allowed(orgname):
+  """ Returns whether syncing setup is allowed for the current user over the matching org. """
+  if not features.NONSUPERUSER_TEAM_SYNCING_SETUP and not SuperUserPermission().can():
+    return False
+
+  return AdministerOrganizationPermission(orgname).can()
+
+
@resource('/v1/organization/<orgname>/team/<teamname>/syncing')
@path_param('orgname', 'The name of the organization')
@path_param('teamname', 'The name of the team')
@ -221,8 +229,7 @@ class OrganizationTeamSyncing(ApiResource):
  @verify_not_prod
  @require_fresh_login
  def post(self, orgname, teamname):
-    # User must be both the org admin AND a superuser.
-    if SuperUserPermission().can() and AdministerOrganizationPermission(orgname).can():
+    if _syncing_setup_allowed(orgname):
      try:
        team = model.team.get_organization_team(orgname, teamname)
      except model.InvalidTeamException:
@ -248,8 +255,7 @@ class OrganizationTeamSyncing(ApiResource):
  @verify_not_prod
  @require_fresh_login
  def delete(self, orgname, teamname):
-    # User must be both the org admin AND a superuser.
-    if SuperUserPermission().can() and AdministerOrganizationPermission(orgname).can():
+    if _syncing_setup_allowed(orgname):
      try:
        team = model.team.get_organization_team(orgname, teamname)
      except model.InvalidTeamException:
@ -296,7 +302,7 @@ class TeamMemberList(ApiResource):
      }

      if features.TEAM_SYNCING and authentication.federated_service:
-        if SuperUserPermission().can() and AdministerOrganizationPermission(orgname).can():
+        if _syncing_setup_allowed(orgname):
          data['can_sync'] = {
            'service': authentication.federated_service,
          }
--- a/endpoints/api/test/test_security.py
+++ b/endpoints/api/test/test_security.py
@ -1,3 +1,5 @@
+from mock import patch
+
 import pytest
 from flask_principal import AnonymousIdentity

@ -10,7 +12,7 @@ from endpoints.api.signing import RepositorySignatures
 from endpoints.api.search import ConductRepositorySearch
 from endpoints.api.superuser import SuperUserRepositoryBuildLogs, SuperUserRepositoryBuildResource
 from endpoints.api.superuser import SuperUserRepositoryBuildStatus
-from endpoints.test.shared import client_with_identity
+from endpoints.test.shared import client_with_identity, toggle_feature

 from test.fixtures import *

@ -69,3 +71,27 @@ NOTIFICATION_PARAMS = {'namespace': 'devtable', 'repository': 'devtable/simple',
 def test_api_security(resource, method, params, body, identity, expected, client):
  with client_with_identity(identity, client) as cl:
    conduct_api_call(cl, resource, method, params, body, expected)
+
+
+@pytest.mark.parametrize('is_superuser', [
+  (True),
+  (False),
+])
+@pytest.mark.parametrize('allow_nonsuperuser', [
+  (True),
+  (False),
+])
+@pytest.mark.parametrize('method, expected', [
+  ('POST', 400),
+  ('DELETE', 200),
+])
+def test_team_sync_security(is_superuser, allow_nonsuperuser, method, expected, client):
+  def is_superuser_method(_):
+    return is_superuser
+
+  with patch('auth.permissions.superusers.is_superuser', is_superuser_method):
+    with toggle_feature('NONSUPERUSER_TEAM_SYNCING_SETUP', allow_nonsuperuser):
+      with client_with_identity('devtable', client) as cl:
+        expect_success = is_superuser or allow_nonsuperuser
+        expected_status = expected if expect_success else 403
+        conduct_api_call(cl, OrganizationTeamSyncing, method, TEAM_PARAMS, {}, expected_status)