summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDan Callaghan <dcallagh@redhat.com>2017-10-06 14:00:05 +1000
committerDan Callaghan <dcallagh@redhat.com>2017-10-12 06:28:29 +0000
commit193390b7dc922ae7824b37c2b4ea909e631fb2a2 (patch)
tree8fb958bc111d36b4e16b876587ddcb83f1899e44
parent58e6b2b4fa1df0d7600d57c1646e47a0def834ca (diff)
disallow adding deleted users to access policies
-rw-r--r--IntegrationTests/src/bkr/inttest/server/selenium/test_system_access_policies.py26
-rw-r--r--IntegrationTests/src/bkr/inttest/server/selenium/test_system_pools.py23
-rw-r--r--Server/bkr/server/pools.py2
-rw-r--r--Server/bkr/server/systems.py5
4 files changed, 55 insertions, 1 deletions
diff --git a/IntegrationTests/src/bkr/inttest/server/selenium/test_system_access_policies.py b/IntegrationTests/src/bkr/inttest/server/selenium/test_system_access_policies.py
index 37b8303..a76cd28 100644
--- a/IntegrationTests/src/bkr/inttest/server/selenium/test_system_access_policies.py
+++ b/IntegrationTests/src/bkr/inttest/server/selenium/test_system_access_policies.py
@@ -4,6 +4,7 @@
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
+import datetime
import requests
from bkr.server.model import session, SystemAccessPolicy, SystemPermission, \
Group
@@ -12,7 +13,7 @@ from bkr.inttest.server.selenium import WebDriverTestCase
from bkr.inttest.server.webdriver_utils import login, logout, \
find_policy_checkbox, check_policy_row_is_dirty, \
check_policy_row_is_not_dirty, check_policy_row_is_absent
-from bkr.inttest.server.requests_utils import put_json
+from bkr.inttest.server.requests_utils import put_json, post_json
from selenium.webdriver.support.ui import Select
class SystemAccessPolicyWebUITest(WebDriverTestCase):
@@ -405,6 +406,29 @@ class SystemAccessPolicyHTTPTest(DatabaseTestCase):
SystemPermission.control_system)
self.assertEquals(self.policy.rules[2].everybody, True)
+ # https://bugzilla.redhat.com/show_bug.cgi?id=1497881
+ def test_cannot_add_deleted_user_to_access_policy(self):
+ with session.begin():
+ deleted_user = data_setup.create_user()
+ deleted_user.removed = datetime.datetime.utcnow()
+ bad_rule = {'user': deleted_user.user_name, 'permission': 'edit'}
+ s = requests.Session()
+ s.post(get_server_base() + 'login', data={'user_name': self.owner.user_name,
+ 'password': 'theowner'}).raise_for_status()
+ # Two different APIs for manipulating access policy rules
+ response = put_json(get_server_base() +
+ 'systems/%s/access-policy' % self.system.fqdn, session=s,
+ data={'rules': [bad_rule]})
+ self.assertEqual(response.status_code, 400)
+ self.assertEqual(response.text,
+ 'Cannot add deleted user %s to access policy' % deleted_user.user_name)
+ response = post_json(get_server_base() +
+ 'systems/%s/access-policy/rules/' % self.system.fqdn, session=s,
+ data=bad_rule)
+ self.assertEqual(response.status_code, 400)
+ self.assertEqual(response.text,
+ 'Cannot add deleted user %s to access policy' % deleted_user.user_name)
+
def test_get_active_access_policy(self):
response = requests.get(get_server_base() +
'systems/%s/active-access-policy/' % self.system.fqdn)
diff --git a/IntegrationTests/src/bkr/inttest/server/selenium/test_system_pools.py b/IntegrationTests/src/bkr/inttest/server/selenium/test_system_pools.py
index 946d443..3ce770b 100644
--- a/IntegrationTests/src/bkr/inttest/server/selenium/test_system_pools.py
+++ b/IntegrationTests/src/bkr/inttest/server/selenium/test_system_pools.py
@@ -4,6 +4,7 @@
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
+import datetime
import requests
from bkr.server.model import session, SystemAccessPolicy, SystemPermission, \
Group, SystemPool, User, Activity
@@ -866,3 +867,25 @@ class SystemPoolAccessPolicyHTTPTest(DatabaseTestCase):
self.assertFalse(self.pool.access_policy.grants
(user, SystemPermission.edit_system))
+ # https://bugzilla.redhat.com/show_bug.cgi?id=1497881
+ def test_cannot_add_deleted_user_to_access_policy(self):
+ with session.begin():
+ deleted_user = data_setup.create_user()
+ deleted_user.removed = datetime.datetime.utcnow()
+ bad_rule = {'user': deleted_user.user_name, 'permission': 'edit'}
+ s = requests.Session()
+ s.post(get_server_base() + 'login', data={'user_name': self.owner.user_name,
+ 'password': 'theowner'}).raise_for_status()
+ # Two different APIs for manipulating access policy rules
+ response = put_json(get_server_base() +
+ 'pools/%s/access-policy/' % self.pool.name, session=s,
+ data={'rules': [bad_rule]})
+ self.assertEqual(response.status_code, 400)
+ self.assertEqual(response.text,
+ 'Cannot add deleted user %s to access policy' % deleted_user.user_name)
+ response = post_json(get_server_base() +
+ 'pools/%s/access-policy/rules/' % self.pool.name, session=s,
+ data=bad_rule)
+ self.assertEqual(response.status_code, 400)
+ self.assertEqual(response.text,
+ 'Cannot add deleted user %s to access policy' % deleted_user.user_name)
diff --git a/Server/bkr/server/pools.py b/Server/bkr/server/pools.py
index a7c7e3f..d5c856b 100644
--- a/Server/bkr/server/pools.py
+++ b/Server/bkr/server/pools.py
@@ -376,6 +376,8 @@ def add_access_policy_rule(pool_name):
user = User.by_user_name(rule['user'])
if not user:
raise BadRequest400("User '%s' does not exist" % rule['user'])
+ if user.removed:
+ raise BadRequest400('Cannot add deleted user %s to access policy' % user.user_name)
else:
user = None
diff --git a/Server/bkr/server/systems.py b/Server/bkr/server/systems.py
index 3b4bd68..97cb187 100644
--- a/Server/bkr/server/systems.py
+++ b/Server/bkr/server/systems.py
@@ -957,6 +957,9 @@ def _edit_access_policy_rules(object, policy, rules=None):
user = User.by_user_name(rule['user'])
if user is None:
raise BadRequest400('No such user %r' % rule['user'])
+ if user.removed:
+ raise BadRequest400('Cannot add deleted user %s to access policy'
+ % user.user_name)
else:
user = None
try:
@@ -1026,6 +1029,8 @@ def add_system_access_policy_rule(fqdn):
user = User.by_user_name(rule['user'])
if not user:
raise BadRequest400("User '%s' does not exist" % rule['user'])
+ if user.removed:
+ raise BadRequest400('Cannot add deleted user %s to access policy' % user.user_name)
else:
user = None