From 6e4121a5b358cb22a7196075d071d81ad9de8894 Mon Sep 17 00:00:00 2001 From: James Tanner Date: Thu, 6 Jun 2024 15:35:37 -0400 Subject: [PATCH 1/5] Add a system_auditor role who has read on everything. No-Issue Signed-off-by: James Tanner --- .../0053_create_system_auditor_role.py | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 galaxy_ng/app/migrations/0053_create_system_auditor_role.py diff --git a/galaxy_ng/app/migrations/0053_create_system_auditor_role.py b/galaxy_ng/app/migrations/0053_create_system_auditor_role.py new file mode 100644 index 0000000000..21dbd9cdf9 --- /dev/null +++ b/galaxy_ng/app/migrations/0053_create_system_auditor_role.py @@ -0,0 +1,40 @@ +# Generated by Django 4.2.13 on 2024-06-06 19:13 + +from django.db import migrations + + +def create_system_auditor_role(apps, schema_editor): + Role = apps.get_model("core", "Role") + Permission = apps.get_model("auth", "Permission") + + # Create the role + role, created = Role.objects.get_or_create( + name='galaxy.system_auditor', + defaults={'description': 'Role with read-only permissions to all resources'} + ) + + for permission in Permission.objects.filter(codename__icontains='view'): + role.permissions.add(permission) + + +def delete_system_auditor_role(apps, schema_editor): + Role = apps.get_model("core", "Role") + + try: + role = Role.objects.get(name='galaxy.system_auditor') + except Role.DoesNotExist: + return + + # Delete the role + role.delete() + + +class Migration(migrations.Migration): + + dependencies = [ + ("galaxy", "0052_alter_organization_created_by_and_more"), + ] + + operations = [ + migrations.RunPython(create_system_auditor_role), + ] From 8c45cd872bd1531ab159c071ebed72f5eb6e8685 Mon Sep 17 00:00:00 2001 From: James Tanner Date: Thu, 6 Jun 2024 15:39:55 -0400 Subject: [PATCH 2/5] Add the rollback function name. No-Issue Signed-off-by: James Tanner --- galaxy_ng/app/migrations/0053_create_system_auditor_role.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/galaxy_ng/app/migrations/0053_create_system_auditor_role.py b/galaxy_ng/app/migrations/0053_create_system_auditor_role.py index 21dbd9cdf9..67e41ab8d2 100644 --- a/galaxy_ng/app/migrations/0053_create_system_auditor_role.py +++ b/galaxy_ng/app/migrations/0053_create_system_auditor_role.py @@ -36,5 +36,5 @@ class Migration(migrations.Migration): ] operations = [ - migrations.RunPython(create_system_auditor_role), + migrations.RunPython(create_system_auditor_role, delete_system_auditor_role), ] From 5bacffe267fca95e0995ddf29d4556f3ee62724c Mon Sep 17 00:00:00 2001 From: James Tanner Date: Thu, 6 Jun 2024 16:50:47 -0400 Subject: [PATCH 3/5] Lint fixes. No-Issue Signed-off-by: James Tanner --- .../integration/api/test_system_auditor.py | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 galaxy_ng/tests/integration/api/test_system_auditor.py diff --git a/galaxy_ng/tests/integration/api/test_system_auditor.py b/galaxy_ng/tests/integration/api/test_system_auditor.py new file mode 100644 index 0000000000..3411d51b08 --- /dev/null +++ b/galaxy_ng/tests/integration/api/test_system_auditor.py @@ -0,0 +1,39 @@ +import json +import os +import uuid + +import pytest + + +pytestmark = pytest.mark.qa # noqa: F821 + + +@pytest.mark.deployment_standalone +@pytest.mark.min_hub_version("4.10dev") +@pytest.mark.skipif( + os.getenv("ENABLE_DAB_TESTS"), + reason="Skipping test because ENABLE_DAB_TESTS is set" +) +def test_system_auditor_role_permissions_without_gateway(galaxy_client): + """Tests ability to list roles assigned to a namespace.""" + + gc = galaxy_client("admin", ignore_cache=True) + + # make a random user + username = str(uuid.uuid4()) + uinfo = gc.post( + "_ui/v1/users/", + body=json.dumps({"username": username, "password": "redhat1234"}) + ) + uid = uinfo["id"] + + # assign the galaxy.system_auditor role to the user + rinfo = gc.post( + f"pulp/api/v3/users/{uid}/roles/", + body=json.dumps({'content_object': None, 'role': 'galaxy.system_auditor'}) + ) + + # check that all the permssions are view_* only ... + for perm_code in rinfo["permissions"]: + perm_name = perm_code.split(".", 1)[1] + assert "view_" in perm_name, f"{perm_code} is not a view-only permission" From 8fc787b478923975e504328edfe7cbae6eac8a73 Mon Sep 17 00:00:00 2001 From: James Tanner Date: Thu, 6 Jun 2024 18:38:58 -0400 Subject: [PATCH 4/5] Fixup test comment. No-Issue Signed-off-by: James Tanner --- galaxy_ng/tests/integration/api/test_system_auditor.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/galaxy_ng/tests/integration/api/test_system_auditor.py b/galaxy_ng/tests/integration/api/test_system_auditor.py index 3411d51b08..fe33f300b0 100644 --- a/galaxy_ng/tests/integration/api/test_system_auditor.py +++ b/galaxy_ng/tests/integration/api/test_system_auditor.py @@ -15,7 +15,7 @@ reason="Skipping test because ENABLE_DAB_TESTS is set" ) def test_system_auditor_role_permissions_without_gateway(galaxy_client): - """Tests ability to list roles assigned to a namespace.""" + """Tests the galaxy.system_auditor role can be added to a user and has the right perms.""" gc = galaxy_client("admin", ignore_cache=True) From cfb5909a0878fa917ab19bff68b853bfce3053fa Mon Sep 17 00:00:00 2001 From: James Tanner Date: Mon, 10 Jun 2024 11:40:49 -0400 Subject: [PATCH 5/5] Rename to galaxy.auditor. No-Issue Signed-off-by: James Tanner --- galaxy_ng/app/migrations/0053_create_system_auditor_role.py | 4 ++-- galaxy_ng/tests/integration/api/test_system_auditor.py | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/galaxy_ng/app/migrations/0053_create_system_auditor_role.py b/galaxy_ng/app/migrations/0053_create_system_auditor_role.py index 67e41ab8d2..731b8a9337 100644 --- a/galaxy_ng/app/migrations/0053_create_system_auditor_role.py +++ b/galaxy_ng/app/migrations/0053_create_system_auditor_role.py @@ -9,7 +9,7 @@ def create_system_auditor_role(apps, schema_editor): # Create the role role, created = Role.objects.get_or_create( - name='galaxy.system_auditor', + name='galaxy.auditor', defaults={'description': 'Role with read-only permissions to all resources'} ) @@ -21,7 +21,7 @@ def delete_system_auditor_role(apps, schema_editor): Role = apps.get_model("core", "Role") try: - role = Role.objects.get(name='galaxy.system_auditor') + role = Role.objects.get(name='galaxy.auditor') except Role.DoesNotExist: return diff --git a/galaxy_ng/tests/integration/api/test_system_auditor.py b/galaxy_ng/tests/integration/api/test_system_auditor.py index fe33f300b0..93248901cd 100644 --- a/galaxy_ng/tests/integration/api/test_system_auditor.py +++ b/galaxy_ng/tests/integration/api/test_system_auditor.py @@ -30,7 +30,7 @@ def test_system_auditor_role_permissions_without_gateway(galaxy_client): # assign the galaxy.system_auditor role to the user rinfo = gc.post( f"pulp/api/v3/users/{uid}/roles/", - body=json.dumps({'content_object': None, 'role': 'galaxy.system_auditor'}) + body=json.dumps({'content_object': None, 'role': 'galaxy.auditor'}) ) # check that all the permssions are view_* only ...