diff --git a/CHANGES/1093.misc b/CHANGES/1093.misc deleted file mode 100644 index b90a363290..0000000000 --- a/CHANGES/1093.misc +++ /dev/null @@ -1 +0,0 @@ -Removing django-guardian and migrating to RBAC Roles \ No newline at end of file diff --git a/galaxy_ng/app/access_control/fields.py b/galaxy_ng/app/access_control/fields.py index 60aee52ce3..b72b17ed8b 100644 --- a/galaxy_ng/app/access_control/fields.py +++ b/galaxy_ng/app/access_control/fields.py @@ -1,38 +1,44 @@ +from django.contrib.auth.models import Permission +from django.db.models import Q from django.utils.translation import gettext_lazy as _ +from guardian.shortcuts import get_perms_for_model + from rest_framework import serializers from rest_framework.exceptions import ValidationError -from pulpcore.plugin.models.role import Role - -from pulpcore.plugin.util import get_perms_for_model - from galaxy_ng.app.models import auth as auth_models class GroupPermissionField(serializers.Field): def _validate_group(self, group_data): - if 'object_roles' not in group_data: + if 'object_permissions' not in group_data: raise ValidationError(detail={ - 'groups': _('object_roles field is required')}) + 'groups': _('object_permissions field is required')}) if 'id' not in group_data and 'name' not in group_data: raise ValidationError(detail={ 'groups': _('id or name field is required')}) - roles = group_data['object_roles'] + perms = group_data['object_permissions'] - if not isinstance(roles, list): + if not isinstance(perms, list): raise ValidationError(detail={ - 'groups': _('object_roles must be a list of strings')}) + 'groups': _('object_permissions must be a list of strings')}) # validate that the permissions exist - for role in roles: + for perm in perms: + if '.' in perm: + app_label, codename = perm.split('.', maxsplit=1) + filter_q = Q(content_type__app_label=app_label) & Q(codename=codename) + else: + filter_q = Q(codename=perm) + # TODO(newswangerd): Figure out how to make this one SQL query instead of # performing N queries for each permission - if not Role.objects.filter(name=role).exists(): + if not Permission.objects.filter(filter_q).exists(): raise ValidationError(detail={ - 'groups': _('Role {} does not exist').format(role)}) + 'groups': _('Permission {} does not exist').format(perm)}) def to_representation(self, value): rep = [] @@ -40,7 +46,7 @@ def to_representation(self, value): rep.append({ 'id': group.id, 'name': group.name, - 'object_roles': value[group] + 'object_permissions': value[group] }) return rep @@ -59,10 +65,7 @@ def to_internal_value(self, data): group_filter[field] = group_data[field] try: group = auth_models.Group.objects.get(**group_filter) - if 'object_permissions' in group_data: - internal[group] = group_data['object_permissions'] - if 'object_roles' in group_data: - internal[group] = group_data['object_roles'] + internal[group] = group_data['object_permissions'] except auth_models.Group.DoesNotExist: raise ValidationError(detail={ 'groups': _("Group name=%s, id=%s does not exist") % ( @@ -81,6 +84,8 @@ def to_representation(self, obj): return [] user = request.user + # guardian's get_perms(user, obj) method only returns user permissions, + # not all permissions a user has. my_perms = [] for perm in get_perms_for_model(type(obj)).all(): codename = "{}.{}".format(perm.content_type.app_label, perm.codename) diff --git a/galaxy_ng/app/access_control/mixins.py b/galaxy_ng/app/access_control/mixins.py index 50b00a28f1..d0ac4c2896 100644 --- a/galaxy_ng/app/access_control/mixins.py +++ b/galaxy_ng/app/access_control/mixins.py @@ -1,15 +1,5 @@ from django.db import transaction -from django.core.exceptions import BadRequest -from django.utils.translation import gettext_lazy as _ - -from rest_framework.exceptions import ValidationError - -from pulpcore.plugin.util import ( - assign_role, - remove_role, - get_groups_with_perms_attached_roles -) - +from guardian.shortcuts import get_groups_with_perms, assign_perm, remove_perm from django_lifecycle import hook @@ -18,7 +8,7 @@ class GroupModelPermissionsMixin: @property def groups(self): - return get_groups_with_perms_attached_roles(self) + return get_groups_with_perms(self, attach_perms=True) @groups.setter def groups(self, groups): @@ -26,27 +16,20 @@ def groups(self, groups): @transaction.atomic def _set_groups(self, groups): - # Can't add permissions to objects that haven't been + # guardian doesn't allow adding permissions to objects that haven't been # saved. When creating new objects, save group data to _groups where it # can be picked up by the post save hook. if self._state.adding: self._groups = groups else: - current_groups = get_groups_with_perms_attached_roles(self) + current_groups = get_groups_with_perms(self, attach_perms=True) for group in current_groups: for perm in current_groups[group]: - remove_role(perm, group, self) + remove_perm(perm, group, self) for group in groups: - for role in groups[group]: - try: - assign_role(role, group, self) - except BadRequest: - raise ValidationError( - detail={'groups': _('Role {role} does not exist or does not ' - 'have any permissions related to this object.' - ).format(role=role)} - ) + for perm in groups[group]: + assign_perm(perm, group, self) @hook('after_save') def set_object_groups(self): diff --git a/galaxy_ng/app/access_control/statements/roles.py b/galaxy_ng/app/access_control/statements/roles.py index 327ea7fcd9..5337408bd0 100644 --- a/galaxy_ng/app/access_control/statements/roles.py +++ b/galaxy_ng/app/access_control/statements/roles.py @@ -24,9 +24,6 @@ }, "NamespaceViewSet": { "LOCKED_ROLES": { - "galaxy.content_admin": [ - "ansible.modify_ansible_repo_content", - ], "galaxy.namespace_owner": [ "galaxy.add_namespace", "galaxy.change_namespace", @@ -39,18 +36,6 @@ "galaxy.upload_to_namespace", "ansible.delete_collection", ], - "galaxy.group_admin": [ - "galaxy.view_group", - "galaxy.delete_group", - "galaxy.add_group", - "galaxy.change_group", - ], - "galaxy.user_admin": [ - "galaxy.view_user", - "galaxy.delete_user", - "galaxy.add_user", - "galaxy.change_user", - ], }, }, "SyncListViewSet": { @@ -60,7 +45,6 @@ "galaxy.change_synclist", "galaxy.delete_synclist", "galaxy.view_synclist", - "ansible.change_collectionremote", ], } }, diff --git a/galaxy_ng/app/api/ui/serializers/execution_environment.py b/galaxy_ng/app/api/ui/serializers/execution_environment.py index 22d8cd52f7..239e38f055 100644 --- a/galaxy_ng/app/api/ui/serializers/execution_environment.py +++ b/galaxy_ng/app/api/ui/serializers/execution_environment.py @@ -8,7 +8,7 @@ from drf_spectacular.types import OpenApiTypes from drf_spectacular.utils import extend_schema_field -from pulpcore.plugin.util import get_users_with_perms +from guardian.shortcuts import get_users_with_perms from pulp_container.app import models as container_models from pulp_container.app import serializers as container_serializers diff --git a/galaxy_ng/app/api/ui/viewsets/distribution.py b/galaxy_ng/app/api/ui/viewsets/distribution.py index 05a926a262..69f6d86878 100644 --- a/galaxy_ng/app/api/ui/viewsets/distribution.py +++ b/galaxy_ng/app/api/ui/viewsets/distribution.py @@ -1,6 +1,6 @@ from rest_framework import mixins from pulp_ansible.app import models as pulp_models -from pulpcore.plugin.util import get_objects_for_user +from guardian.shortcuts import get_objects_for_user from galaxy_ng.app.access_control import access_policy from galaxy_ng.app.api.ui import serializers, versioning @@ -31,7 +31,7 @@ def get_queryset(self): 'galaxy.change_synclist', any_perm=True, accept_global_perms=False, - qs=models.SyncList.objects.all() + klass=models.SyncList ) # TODO: find a better way query this data diff --git a/galaxy_ng/app/api/ui/viewsets/execution_environment.py b/galaxy_ng/app/api/ui/viewsets/execution_environment.py index 1bd4ed57e6..05fa502125 100644 --- a/galaxy_ng/app/api/ui/viewsets/execution_environment.py +++ b/galaxy_ng/app/api/ui/viewsets/execution_environment.py @@ -6,7 +6,7 @@ from django_filters import filters from django_filters.rest_framework import DjangoFilterBackend, filterset from drf_spectacular.utils import extend_schema -from pulpcore.plugin.util import get_objects_for_user +from guardian.shortcuts import get_objects_for_user from pulp_container.app import models as container_models from pulpcore.plugin import models as core_models from pulpcore.plugin.serializers import AsyncOperationResponseSerializer @@ -47,7 +47,7 @@ class Meta: def has_permissions(self, queryset, name, value): perms = self.request.query_params.getlist(name) namespaces = get_objects_for_user( - self.request.user, perms, qs=container_models.ContainerNamespace.objects.all()) + self.request.user, perms, klass=container_models.ContainerNamespace) return self.queryset.filter(namespace__in=namespaces) diff --git a/galaxy_ng/app/api/ui/viewsets/my_namespace.py b/galaxy_ng/app/api/ui/viewsets/my_namespace.py index 8e96d4973c..e9bd3b6706 100644 --- a/galaxy_ng/app/api/ui/viewsets/my_namespace.py +++ b/galaxy_ng/app/api/ui/viewsets/my_namespace.py @@ -1,5 +1,5 @@ from galaxy_ng.app import models -from pulpcore.plugin.util import get_objects_for_user +from guardian.shortcuts import get_objects_for_user from .namespace import NamespaceViewSet @@ -10,5 +10,5 @@ def get_queryset(self): self.request.user, ('galaxy.change_namespace', 'galaxy.upload_to_namespace'), any_perm=True, - qs=models.Namespace.objects.all() + klass=models.Namespace ) diff --git a/galaxy_ng/app/api/ui/viewsets/my_synclist.py b/galaxy_ng/app/api/ui/viewsets/my_synclist.py index f064fd1afd..b6a9bf7a0d 100644 --- a/galaxy_ng/app/api/ui/viewsets/my_synclist.py +++ b/galaxy_ng/app/api/ui/viewsets/my_synclist.py @@ -1,7 +1,7 @@ import logging from django.shortcuts import get_object_or_404 -from pulpcore.plugin.util import get_objects_for_user +from guardian.shortcuts import get_objects_for_user from rest_framework.decorators import action @@ -30,8 +30,9 @@ def get_queryset(self): return get_objects_for_user( self.request.user, "galaxy.change_synclist", - # any_perm=True, - qs=models.SyncList.objects.all(), + any_perm=True, + accept_global_perms=False, + klass=models.SyncList, ) @action(detail=True, methods=["post"]) diff --git a/galaxy_ng/app/auth/auth.py b/galaxy_ng/app/auth/auth.py index 93c7d9e935..3f7651e024 100644 --- a/galaxy_ng/app/auth/auth.py +++ b/galaxy_ng/app/auth/auth.py @@ -4,9 +4,7 @@ from django.conf import settings from django.db import transaction - -from pulpcore.plugin.util import get_objects_for_group - +from guardian import shortcuts from pulp_ansible.app.models import AnsibleDistribution, AnsibleRepository from rest_framework.authentication import BaseAuthentication from rest_framework.exceptions import AuthenticationFailed @@ -81,9 +79,11 @@ def _ensure_group(self, account_scope, account): def _ensure_synclists(self, group): with transaction.atomic(): # check for existing synclists + perms = ['galaxy.view_synclist'] synclists_owned_by_group = \ - get_objects_for_group(group, 'galaxy.view_synclist', SyncList.objects.all()) + shortcuts.get_objects_for_group(group, perms, klass=SyncList, + any_perm=False, accept_global_perms=True) if synclists_owned_by_group: return synclists_owned_by_group @@ -105,7 +105,8 @@ def _ensure_synclists(self, group): }, ) - default_synclist.groups = {group: ['galaxy.synclist_owner']} + default_synclist.groups = {group: ['galaxy.view_synclist', 'galaxy.add_synclist', + 'galaxy.delete_synclist', 'galaxy.change_synclist']} default_synclist.save() return default_synclist diff --git a/galaxy_ng/app/management/commands/maintain-pe-group.py b/galaxy_ng/app/management/commands/maintain-pe-group.py index 44092bd60a..afc6d95bf8 100644 --- a/galaxy_ng/app/management/commands/maintain-pe-group.py +++ b/galaxy_ng/app/management/commands/maintain-pe-group.py @@ -1,6 +1,5 @@ from django.core.management import BaseCommand - -from pulpcore.plugin.util import assign_role +from guardian.shortcuts import assign_perm from galaxy_ng.app.models.auth import Group @@ -10,8 +9,8 @@ class Command(BaseCommand): """ This command creates or updates a partner engineering group - with a standard set of permissions via Galaxy locked roles. - Intended to be used for settings.GALAXY_DEPLOYMENT_MODE==insights. + with a standard set of permissions. Intended to be used for + settings.GALAXY_DEPLOYMENT_MODE==insights. $ django-admin maintain-pe-group """ @@ -19,23 +18,34 @@ class Command(BaseCommand): help = "Creates/updates partner engineering group with permissions" def handle(self, *args, **options): - pe_group, group_created = Group.objects.get_or_create(name=PE_GROUP_NAME) - if group_created: + pe_group, created = Group.objects.get_or_create(name=PE_GROUP_NAME) + if created: self.stdout.write(f"Created group '{PE_GROUP_NAME}'") else: self.stdout.write(f"Group '{PE_GROUP_NAME}' already exists") - pe_roles = [ - 'galaxy.group_admin', - 'galaxy.user_admin', - 'galaxy.collection_admin', - 'galaxy.namespace_owner', - 'galaxy.content_admin', + pe_perms = [ + # groups + "galaxy.view_group", + "galaxy.delete_group", + "galaxy.add_group", + "galaxy.change_group", + # users + "galaxy.view_user", + "galaxy.delete_user", + "galaxy.add_user", + "galaxy.change_user", + # collections + "ansible.modify_ansible_repo_content", + "ansible.delete_collection", + # namespaces + "galaxy.add_namespace", + "galaxy.change_namespace", + "galaxy.upload_to_namespace", + "galaxy.delete_namespace", ] - for role in pe_roles: - assign_role(rolename=role, entity=pe_group) + for perm in pe_perms: + assign_perm(perm, pe_group) - self.stdout.write( - f"Roles assigned to '{PE_GROUP_NAME}'" - ) + self.stdout.write(f"Permissions assigned to '{PE_GROUP_NAME}'") diff --git a/galaxy_ng/app/models/auth.py b/galaxy_ng/app/models/auth.py index 0933c2b54a..89813a9cc1 100644 --- a/galaxy_ng/app/models/auth.py +++ b/galaxy_ng/app/models/auth.py @@ -2,8 +2,6 @@ from django.contrib.auth import models as auth_models -from pulpcore.plugin.models import Group as PulpGroup - log = logging.getLogger(__name__) __all__ = ( @@ -38,7 +36,7 @@ def _make_name(scope, name): return f"{scope}:{name}" -class Group(PulpGroup): +class Group(auth_models.Group): objects = GroupManager() class Meta: diff --git a/galaxy_ng/app/viewsets.py b/galaxy_ng/app/viewsets.py index 6af8fd6f79..f66315aef2 100644 --- a/galaxy_ng/app/viewsets.py +++ b/galaxy_ng/app/viewsets.py @@ -36,12 +36,3 @@ class ContainerDistributionViewSet( serializer_class = serializers.ContainerRepositorySerializer permission_classes = [access_policy.ContainerRepositoryAccessPolicy] endpoint_name = "container" - - -class AuthViewSet( - pulp_viewsets.NamedModelViewSet, - mixins.RetrieveModelMixin, - mixins.DestroyModelMixin, -): - queryset = models.auth.Group.objects.all() - endpoint_name = "auth" diff --git a/galaxy_ng/tests/integration/api/test_locked_roles.py b/galaxy_ng/tests/integration/api/test_locked_roles.py index 2ec30960a4..62480e8188 100644 --- a/galaxy_ng/tests/integration/api/test_locked_roles.py +++ b/galaxy_ng/tests/integration/api/test_locked_roles.py @@ -13,12 +13,9 @@ def test_locked_roles_exist(ansible_config): galaxy_locked_roles = [ "galaxy.collection_admin", "galaxy.execution_environment_admin", - "galaxy.group_admin", - "galaxy.publisher", - "galaxy.user_admin", "galaxy.namespace_owner", + "galaxy.publisher", "galaxy.synclist_owner", - "galaxy.content_admin" ] config = ansible_config("ansible_partner") diff --git a/galaxy_ng/tests/unit/api/base.py b/galaxy_ng/tests/unit/api/base.py index 1ca5b85e05..2c2ff493cc 100644 --- a/galaxy_ng/tests/unit/api/base.py +++ b/galaxy_ng/tests/unit/api/base.py @@ -8,7 +8,7 @@ from galaxy_ng.app import models from galaxy_ng.app.access_control import access_policy from galaxy_ng.app.models import auth as auth_models -from pulpcore.plugin.util import assign_role +from guardian.shortcuts import assign_perm from galaxy_ng.app import constants @@ -76,13 +76,13 @@ def _create_user(username): return auth_models.User.objects.create(username=username) @staticmethod - def _create_group(scope, name, users=None, roles=[]): + def _create_group(scope, name, users=None, perms=[]): group, _ = auth_models.Group.objects.get_or_create_identity(scope, name) if isinstance(users, auth_models.User): users = [users] group.user_set.add(*users) - for r in roles: - assign_role(r, group) + for p in perms: + assign_perm(p, group) return group @staticmethod @@ -95,26 +95,51 @@ def _create_namespace(name, groups=None): groups_to_add = {} for group in groups: groups_to_add[group] = [ - 'galaxy.namespace_owner', + 'galaxy.upload_to_namespace', + 'galaxy.change_namespace', + 'galaxy.delete_namespace' ] namespace.groups = groups_to_add return namespace @staticmethod def _create_partner_engineer_group(): - # Maintain PE Group consistency with - # galaxy_ng/app/management/commands/maintain-pe-group.py:28 - pe_roles = [ - 'galaxy.namespace_owner', - 'galaxy.collection_admin', - 'galaxy.user_admin', - 'galaxy.group_admin', - 'galaxy.content_admin', + pe_perms = [ + # namespaces + 'galaxy.add_namespace', + 'galaxy.change_namespace', + 'galaxy.upload_to_namespace', + 'galaxy.delete_namespace', + + # collections + 'ansible.modify_ansible_repo_content', + 'ansible.delete_collection', + + # users + 'galaxy.view_user', + 'galaxy.delete_user', + 'galaxy.add_user', + 'galaxy.change_user', + + # groups + 'galaxy.view_group', + 'galaxy.delete_group', + 'galaxy.add_group', + 'galaxy.change_group', + + # synclists + 'galaxy.delete_synclist', + 'galaxy.change_synclist', + 'galaxy.view_synclist', + 'galaxy.add_synclist', + + # sync config + 'ansible.change_collectionremote', ] pe_group = auth_models.Group.objects.create( name='partner-engineers') - for role in pe_roles: - assign_role(role, pe_group) + for perm in pe_perms: + assign_perm(perm, pe_group) return pe_group diff --git a/galaxy_ng/tests/unit/api/synclist_base.py b/galaxy_ng/tests/unit/api/synclist_base.py index ffec78d6df..cbdf333df2 100644 --- a/galaxy_ng/tests/unit/api/synclist_base.py +++ b/galaxy_ng/tests/unit/api/synclist_base.py @@ -2,8 +2,8 @@ from unittest import mock from django.conf import settings +from guardian import shortcuts -from pulpcore.plugin.util import assign_role from pulp_ansible.app import models as pulp_ansible_models from galaxy_ng.app import models as galaxy_models @@ -15,7 +15,12 @@ ACCOUNT_SCOPE = "rh-identity-account" -SYNCLIST_ROLES = ["galaxy.synclist_owner"] +SYNCLIST_PERMS = [ + "add_synclist", + "view_synclist", + "delete_synclist", + "change_synclist", +] log.info("settings.FIXTURE_DIRS(module scope): %s", settings.FIXTURE_DIRS) @@ -23,7 +28,7 @@ class BaseSyncListViewSet(base.BaseTestCase): url_name = "galaxy:api:v3:ui:synclists-list" - default_owner_roles = SYNCLIST_ROLES + default_owner_permissions = SYNCLIST_PERMS def setUp(self): super().setUp() @@ -54,8 +59,9 @@ def _create_group_with_synclist_perms(scope, name, users=None): if isinstance(users, auth_models.User): users = [users] group.user_set.add(*users) - for role in SYNCLIST_ROLES: - assign_role(role, group) + + for perm in SYNCLIST_PERMS: + shortcuts.assign_perm(f"galaxy.{perm}", group) return group def _create_repository(self, name): @@ -81,7 +87,7 @@ def _create_synclist( groups_to_add = {} for group in groups: - groups_to_add[group] = self.default_owner_roles + groups_to_add[group] = self.default_owner_permissions synclist, _ = galaxy_models.SyncList.objects.get_or_create( name=name, repository=repository, upstream_repository=upstream_repository, diff --git a/galaxy_ng/tests/unit/api/test_api_ui_container_remote.py b/galaxy_ng/tests/unit/api/test_api_ui_container_remote.py index 111f9c8e26..1568779828 100644 --- a/galaxy_ng/tests/unit/api/test_api_ui_container_remote.py +++ b/galaxy_ng/tests/unit/api/test_api_ui_container_remote.py @@ -17,7 +17,12 @@ class TestContainerRemote(BaseTestCase): def setUp(self): super().setUp() - roles = ['galaxy.execution_environment_admin'] + permissions = [ + # change containers + 'container.namespace_change_containerdistribution', + # create containers + 'container.add_containernamespace', + ] self.container_user = auth_models.User.objects.create(username='container_user') self.admin = auth_models.User.objects.create(username='admin', is_superuser=True) self.regular_user = auth_models.User.objects.create(username='hacker') @@ -38,7 +43,7 @@ def setUp(self): "", "container_group", users=[self.container_user, ], - roles=roles + perms=permissions ) def _create_remote(self, user, name, registry_pk): diff --git a/galaxy_ng/tests/unit/api/test_api_ui_distributions.py b/galaxy_ng/tests/unit/api/test_api_ui_distributions.py index c95f62b67e..5e9eb2457d 100644 --- a/galaxy_ng/tests/unit/api/test_api_ui_distributions.py +++ b/galaxy_ng/tests/unit/api/test_api_ui_distributions.py @@ -1,9 +1,7 @@ import logging -# from django.contrib.auth import default_app_config from rest_framework import status as http_code -from pulpcore.plugin.util import assign_role from pulp_ansible.app import models as pulp_ansible_models from galaxy_ng.app.constants import DeploymentMode @@ -12,14 +10,16 @@ from .base import BaseTestCase, get_current_ui_url -from .synclist_base import ACCOUNT_SCOPE - log = logging.getLogger(__name__) logging.getLogger().setLevel(logging.DEBUG) class TestUIDistributions(BaseTestCase): - default_owner_roles = ['galaxy.synclist_owner'] + default_owner_permissions = [ + 'change_synclist', + 'view_synclist', + 'delete_synclist' + ] def setUp(self): super().setUp() @@ -27,9 +27,8 @@ def setUp(self): self.distro_url = get_current_ui_url('distributions-list') self.my_distro_url = get_current_ui_url('my-distributions-list') - self.group = self._create_group_with_synclist_perms( - ACCOUNT_SCOPE, "test1_group", users=[self.user] - ) + self.group = auth_models.Group.objects.create(name='test1_group') + self.user.groups.add(self.group) self.synclist_repo = self._create_repository('123-synclist') self.repo2 = self._create_repository('other-repo') @@ -55,15 +54,6 @@ def _create_repository(self, name): repo = pulp_ansible_models.AnsibleRepository.objects.create(name=name) return repo - def _create_group_with_synclist_perms(self, scope, name, users=None): - group, _ = auth_models.Group.objects.get_or_create_identity(scope, name) - if isinstance(users, auth_models.User): - users = [users] - group.user_set.add(*users) - for role in self.default_owner_roles: - assign_role(role, group) - return group - def _create_synclist( self, name, repository, upstream_repository, collections=None, namespaces=None, policy=None, groups=None, @@ -73,7 +63,7 @@ def _create_synclist( if groups: groups_to_add = {} for group in groups: - groups_to_add[group] = self.default_owner_roles + groups_to_add[group] = self.default_owner_permissions synclist.groups = groups_to_add return synclist diff --git a/galaxy_ng/tests/unit/api/test_api_ui_my_synclists.py b/galaxy_ng/tests/unit/api/test_api_ui_my_synclists.py index be5f8cdce5..bc9cc36bdd 100644 --- a/galaxy_ng/tests/unit/api/test_api_ui_my_synclists.py +++ b/galaxy_ng/tests/unit/api/test_api_ui_my_synclists.py @@ -59,7 +59,7 @@ def test_my_synclist_create(self): { "id": self.group.id, "name": self.group.name, - "object_roles": self.default_owner_roles, + "object_permissions": self.default_owner_permissions, }, ], } @@ -89,7 +89,7 @@ def test_my_synclist_update(self): { "id": self.group.id, "name": self.group.name, - "object_roles": self.default_owner_roles, + "object_permissions": self.default_owner_permissions, }, ], } @@ -109,16 +109,16 @@ def test_my_synclist_update(self): self.assertEqual(response.data["name"], self.synclist_name) self.assertEqual(response.data["policy"], "include") - # Sort role list for comparison - response.data["groups"][0]["object_roles"].sort() - self.default_owner_roles.sort() + # Sort permission list for comparison + response.data["groups"][0]["object_permissions"].sort() + self.default_owner_permissions.sort() self.assertEqual( response.data["groups"], [ { "name": self.group.name, "id": self.group.id, - "object_roles": self.default_owner_roles + "object_permissions": self.default_owner_permissions, } ], ) diff --git a/galaxy_ng/tests/unit/api/test_api_ui_sync_config.py b/galaxy_ng/tests/unit/api/test_api_ui_sync_config.py index 5ab5725090..c6504cbb36 100644 --- a/galaxy_ng/tests/unit/api/test_api_ui_sync_config.py +++ b/galaxy_ng/tests/unit/api/test_api_ui_sync_config.py @@ -8,7 +8,7 @@ CollectionRemote ) from galaxy_ng.app.constants import DeploymentMode -from .synclist_base import BaseSyncListViewSet +from .base import BaseTestCase log = logging.getLogger(__name__) @@ -26,16 +26,13 @@ def _create_remote(name, url, **kwargs): @override_settings(GALAXY_DEPLOYMENT_MODE=DeploymentMode.STANDALONE.value) -class TestUiSyncConfigViewSet(BaseSyncListViewSet): +class TestUiSyncConfigViewSet(BaseTestCase): def setUp(self): super().setUp() self.admin_user = self._create_user("admin") - self.sync_group = self._create_group_with_synclist_perms( - scope=None, - name="sync_group", - users=self.admin_user - ) + self.pe_group = self._create_partner_engineer_group() + self.admin_user.groups.add(self.pe_group) self.admin_user.save() # Remotes are created by data migration diff --git a/galaxy_ng/tests/unit/api/test_api_ui_user_viewsets.py b/galaxy_ng/tests/unit/api/test_api_ui_user_viewsets.py index 2d8a989fbd..4cc9e5bead 100644 --- a/galaxy_ng/tests/unit/api/test_api_ui_user_viewsets.py +++ b/galaxy_ng/tests/unit/api/test_api_ui_user_viewsets.py @@ -26,8 +26,11 @@ def setUp(self): def test_super_user(self): with self.settings(GALAXY_DEPLOYMENT_MODE=DeploymentMode.STANDALONE.value): user = auth_models.User.objects.create(username='haxor') - self._create_group('', 'test_group1', users=[user], roles=[ - 'galaxy.user_admin', + self._create_group('', 'test_group1', users=[user], perms=[ + 'galaxy.view_user', + 'galaxy.delete_user', + 'galaxy.add_user', + 'galaxy.change_user', ]) self.client.force_authenticate(user=user) new_user_data = { @@ -69,8 +72,11 @@ def test_super_user(self): def test_user_can_only_create_users_with_their_groups(self): user = auth_models.User.objects.create(username='haxor') - group = self._create_group('', 'test_group1', users=[user], roles=[ - 'galaxy.user_admin', + group = self._create_group('', 'test_group1', users=[user], perms=[ + 'galaxy.view_user', + 'galaxy.delete_user', + 'galaxy.add_user', + 'galaxy.change_user', ]) self.client.force_authenticate(user=user) @@ -103,9 +109,12 @@ def test_user_can_only_create_users_with_their_groups(self): def test_user_can_create_users_with_right_perms(self): user = auth_models.User.objects.create(username='haxor') - self._create_group('', 'test_group1', users=[user], roles=[ - 'galaxy.user_admin', - 'galaxy.group_admin', + self._create_group('', 'test_group1', users=[user], perms=[ + 'galaxy.view_user', + 'galaxy.delete_user', + 'galaxy.add_user', + 'galaxy.change_user', + 'galaxy.change_group' ]) self.client.force_authenticate(user=user) @@ -304,9 +313,12 @@ def test_me_delete(self): group = self._create_group('', 'people_that_can_delete_users', users=[user], - roles=[ - 'galaxy.user_admin', - 'galaxy.group_admin' + perms=[ + 'galaxy.view_user', + 'galaxy.delete_user', + 'galaxy.add_user', + 'galaxy.change_user', + 'galaxy.change_group' ]) self.client.force_authenticate(user=user) @@ -349,9 +361,12 @@ def test_superuser_can_not_be_deleted(self): group = self._create_group('', 'people_that_can_delete_users', users=[user], - roles=[ - 'galaxy.user_admin', - 'galaxy.group_admin' + perms=[ + 'galaxy.view_user', + 'galaxy.delete_user', + 'galaxy.add_user', + 'galaxy.change_user', + 'galaxy.change_group' ]) new_user_data = { diff --git a/galaxy_ng/tests/unit/api/test_api_v3_namespace_viewsets.py b/galaxy_ng/tests/unit/api/test_api_v3_namespace_viewsets.py index a91a03f21a..e1abd2b8f5 100644 --- a/galaxy_ng/tests/unit/api/test_api_v3_namespace_viewsets.py +++ b/galaxy_ng/tests/unit/api/test_api_v3_namespace_viewsets.py @@ -186,15 +186,16 @@ def test_namespace_api_creates_deletes_inbound_repo(self): { "id": self.pe_group.id, "name": self.pe_group.name, - "object_roles": [ - 'galaxy.namespace_owner', + "object_permissions": [ + 'galaxy.upload_to_namespace', + 'galaxy.change_namespace', + 'galaxy.delete_namespace', ] }, ], }, format='json', ) - print(f"\n\n response: {response} \n\n") self.assertEqual(response.status_code, status.HTTP_201_CREATED) self.assertEqual(1, len(AnsibleRepository.objects.filter(name=repo_name))) self.assertEqual(1, len(AnsibleDistribution.objects.filter(name=repo_name))) diff --git a/galaxy_ng/tests/unit/api/test_api_v3_tasks.py b/galaxy_ng/tests/unit/api/test_api_v3_tasks.py index adc3828415..23a3ff7223 100644 --- a/galaxy_ng/tests/unit/api/test_api_v3_tasks.py +++ b/galaxy_ng/tests/unit/api/test_api_v3_tasks.py @@ -4,22 +4,19 @@ from django.test import override_settings from pulp_ansible.app.models import CollectionRemote from galaxy_ng.app.constants import DeploymentMode -from .synclist_base import BaseSyncListViewSet +from .base import BaseTestCase log = logging.getLogger(__name__) @override_settings(GALAXY_DEPLOYMENT_MODE=DeploymentMode.STANDALONE.value) -class TestUiTaskListViewSet(BaseSyncListViewSet): +class TestUiTaskListViewSet(BaseTestCase): def setUp(self): super().setUp() self.admin_user = self._create_user("admin") - self.sync_group = self._create_group_with_synclist_perms( - scope=None, - name="sync_group", - users=self.admin_user - ) + self.pe_group = self._create_partner_engineer_group() + self.admin_user.groups.add(self.pe_group) self.admin_user.save() self.certified_remote = CollectionRemote.objects.get(name='rh-certified')