From b83c60f7f57ee04ea17be5fce1c1fa712213d56b Mon Sep 17 00:00:00 2001 From: James Tanner Date: Mon, 10 Jun 2024 17:28:49 -0400 Subject: [PATCH 1/9] Stuff. No-Issue Signed-off-by: James Tanner --- galaxy_ng/app/constants.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/galaxy_ng/app/constants.py b/galaxy_ng/app/constants.py index a8dc01f11c..f958b06d3c 100644 --- a/galaxy_ng/app/constants.py +++ b/galaxy_ng/app/constants.py @@ -30,6 +30,12 @@ class DeploymentMode(enum.Enum): # Category to group the permission in the UI. "ui_category": _("Collection Namespaces"), }, + "galaxy.view_namespace": { + "name": _("View namespace"), + "object_description": _("View this namespace."), + "global_description": _("View any existing namespace."), + "ui_category": _("Collection Namespaces"), + }, "galaxy.change_namespace": { "name": _("Change namespace"), "object_description": _("Edit this namespace."), From 1ab20a36b74a7fdec3f9c91d551ea77101d7b473 Mon Sep 17 00:00:00 2001 From: James Tanner Date: Mon, 10 Jun 2024 17:33:04 -0400 Subject: [PATCH 2/9] More stuff. No-Issue Signed-off-by: James Tanner --- galaxy_ng/app/constants.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/galaxy_ng/app/constants.py b/galaxy_ng/app/constants.py index f958b06d3c..bb22ebb418 100644 --- a/galaxy_ng/app/constants.py +++ b/galaxy_ng/app/constants.py @@ -54,12 +54,24 @@ class DeploymentMode(enum.Enum): "global_description": _("Upload collections to any existing namespace."), "ui_category": _("Collection Namespaces"), }, + "ansible.view_collection": { + "name": _("View collection"), + "object_description": _("View this collection."), + "global_description": _("View any existing collection."), + "ui_category": _("Collections"), + }, "ansible.delete_collection": { "name": _("Delete collection"), "object_description": _("Delete this collection."), "global_description": _("Delete any existing collection."), "ui_category": _("Collections"), }, + "ansible.view_ansible_repo_content": { + "name": _("View Ansible repo content"), + "object_description": _("View content of this Ansible repository."), + "global_description": _("View collections in any existing namespace."), + "ui_category": _("Collections"), + }, "ansible.modify_ansible_repo_content": { "name": _("Modify Ansible repo content"), "object_description": _("Modify content of this Ansible repository."), From a02c99b93342173cbb3a130830b052099300a84d Mon Sep 17 00:00:00 2001 From: James Tanner Date: Mon, 10 Jun 2024 17:36:13 -0400 Subject: [PATCH 3/9] Checkin. No-Issue Signed-off-by: James Tanner --- galaxy_ng/app/constants.py | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/galaxy_ng/app/constants.py b/galaxy_ng/app/constants.py index bb22ebb418..87011ee366 100644 --- a/galaxy_ng/app/constants.py +++ b/galaxy_ng/app/constants.py @@ -66,10 +66,10 @@ class DeploymentMode(enum.Enum): "global_description": _("Delete any existing collection."), "ui_category": _("Collections"), }, - "ansible.view_ansible_repo_content": { + "ansible.view_ansiblerepository": { "name": _("View Ansible repo content"), - "object_description": _("View content of this Ansible repository."), - "global_description": _("View collections in any existing namespace."), + "object_description": _("View this Ansible repository."), + "global_description": _("View this Ansible repository."), "ui_category": _("Collections"), }, "ansible.modify_ansible_repo_content": { @@ -248,6 +248,12 @@ class DeploymentMode(enum.Enum): "global_description": _("Manage container namespace roles existing in the system."), "ui_category": _("Execution Environments"), }, + "galaxy.view_containerregistryremote": { + "name": _("View remote registry"), + "object_description": None, + "global_description": _("View remote registries in the system."), + "ui_category": _("Container Registry Remotes"), + }, "galaxy.add_containerregistryremote": { "name": _("Add remote registry"), "object_description": None, From b40beedbd320fc2d1d4c11aaa3622728bb2f58f9 Mon Sep 17 00:00:00 2001 From: James Tanner Date: Mon, 10 Jun 2024 17:42:16 -0400 Subject: [PATCH 4/9] Checkin. No-Issue Signed-off-by: James Tanner --- galaxy_ng/app/constants.py | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/galaxy_ng/app/constants.py b/galaxy_ng/app/constants.py index 87011ee366..b3437ad08e 100644 --- a/galaxy_ng/app/constants.py +++ b/galaxy_ng/app/constants.py @@ -200,18 +200,36 @@ class DeploymentMode(enum.Enum): ), "ui_category": _("Ansible Repository"), }, + "container.view_containernamespace": { + "name": _("View container namespace permissions"), + "object_description": _("View permissions on this container namespace."), + "global_description": _("View permissions on any existing container namespace."), + "ui_category": _("Execution Environments"), + }, "container.change_containernamespace": { "name": _("Change container namespace permissions"), "object_description": _("Edit permissions on this container namespace."), "global_description": _("Edit permissions on any existing container namespace."), "ui_category": _("Execution Environments"), }, + "container.namespace_view_containerdistribution": { + "name": _("View containers"), + "object_description": _("View all objects in this container namespace."), + "global_description": _("View all objects in any container namespace in the system."), + "ui_category": _("Execution Environments"), + }, "container.namespace_change_containerdistribution": { "name": _("Change containers"), "object_description": _("Edit all objects in this container namespace."), "global_description": _("Edit all objects in any container namespace in the system."), "ui_category": _("Execution Environments"), }, + "container.namespace_view_content_containerpushrepository" : { + "name": _("View image tags"), + "object_description": _("View an image's tag in this container namespace"), + "global_description": _("View an image's tag in any container namespace the system."), + "ui_category": _("Execution Environments"), + }, "container.namespace_modify_content_containerpushrepository" : { "name": _("Change image tags"), "object_description": _("Edit an image's tag in this container namespace"), @@ -224,6 +242,12 @@ class DeploymentMode(enum.Enum): "global_description": _("Add new containers to the system."), "ui_category": _("Execution Environments"), }, + "container.view_containerrepository": { + "name": _("View container repository"), + "object_description": _("View this container repository."), + "global_description": _("View any existing container repository in the system."), + "ui_category": _("Execution Environments"), + }, "container.delete_containerrepository": { "name": _("Delete container repository"), "object_description": _("Delete this container repository."), From 3888a483e1c43b72f4dad781be1fe03cbb2a0523 Mon Sep 17 00:00:00 2001 From: James Tanner Date: Mon, 10 Jun 2024 18:11:14 -0400 Subject: [PATCH 5/9] Checkin. No-Issue Signed-off-by: James Tanner --- galaxy_ng/app/constants.py | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/galaxy_ng/app/constants.py b/galaxy_ng/app/constants.py index b3437ad08e..95447d1777 100644 --- a/galaxy_ng/app/constants.py +++ b/galaxy_ng/app/constants.py @@ -66,12 +66,12 @@ class DeploymentMode(enum.Enum): "global_description": _("Delete any existing collection."), "ui_category": _("Collections"), }, - "ansible.view_ansiblerepository": { - "name": _("View Ansible repo content"), - "object_description": _("View this Ansible repository."), - "global_description": _("View this Ansible repository."), - "ui_category": _("Collections"), - }, + #"ansible.view_ansiblerepository": { + # "name": _("View Ansible repository"), + # "object_description": _("View this Ansible repository."), + # "global_description": _("View this Ansible repository."), + # "ui_category": _("Collections"), + #}, "ansible.modify_ansible_repo_content": { "name": _("Modify Ansible repo content"), "object_description": _("Modify content of this Ansible repository."), From 9dd563c82b7067eae6c42021506244bf9b2e47b1 Mon Sep 17 00:00:00 2001 From: James Tanner Date: Mon, 10 Jun 2024 18:32:21 -0400 Subject: [PATCH 6/9] Add the role. No-Issue Signed-off-by: James Tanner --- .../app/access_control/statements/roles.py | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/galaxy_ng/app/access_control/statements/roles.py b/galaxy_ng/app/access_control/statements/roles.py index 42c794e41b..a999eca0e8 100644 --- a/galaxy_ng/app/access_control/statements/roles.py +++ b/galaxy_ng/app/access_control/statements/roles.py @@ -145,6 +145,26 @@ }, "inherit_from": [], }, + # View anything but not add/edit/delete. + "galaxy.auditor": { + "permissions": { + "ansible.view_ansiblerepository", + "ansible.view_collection", + "ansible.view_collectionremote", + "auth.view_group", + "container.namespace_view_containerdistribution", + "container.view_containernamespace", + "container.view_containerrepository", + "core.view_group", + "core.view_task", + "galaxy.view_containernamespace", + "galaxy.view_containerregistryremote", + "galaxy.view_group", + "galaxy.view_namespace", + "galaxy.view_user", + }, + "inherit_from": [] + }, } From b1189c70aa800194cfc34b17de830b562e99e356 Mon Sep 17 00:00:00 2001 From: James Tanner Date: Mon, 10 Jun 2024 18:49:13 -0400 Subject: [PATCH 7/9] Bypass lint complaints? No-Issue Signed-off-by: James Tanner --- galaxy_ng/app/constants.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/galaxy_ng/app/constants.py b/galaxy_ng/app/constants.py index 95447d1777..b7b405e13b 100644 --- a/galaxy_ng/app/constants.py +++ b/galaxy_ng/app/constants.py @@ -66,12 +66,12 @@ class DeploymentMode(enum.Enum): "global_description": _("Delete any existing collection."), "ui_category": _("Collections"), }, - #"ansible.view_ansiblerepository": { + # "ansible.view_ansiblerepository": { # "name": _("View Ansible repository"), # "object_description": _("View this Ansible repository."), # "global_description": _("View this Ansible repository."), # "ui_category": _("Collections"), - #}, + # }, "ansible.modify_ansible_repo_content": { "name": _("Modify Ansible repo content"), "object_description": _("Modify content of this Ansible repository."), From 3032afd3c840932e1d157c7406e5848c60aa32f1 Mon Sep 17 00:00:00 2001 From: James Tanner Date: Mon, 10 Jun 2024 18:55:16 -0400 Subject: [PATCH 8/9] Add integration test from other PR. No-Issue Signed-off-by: James Tanner --- .../integration/api/test_system_auditor.py | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 galaxy_ng/tests/integration/api/test_system_auditor.py diff --git a/galaxy_ng/tests/integration/api/test_system_auditor.py b/galaxy_ng/tests/integration/api/test_system_auditor.py new file mode 100644 index 0000000000..93248901cd --- /dev/null +++ b/galaxy_ng/tests/integration/api/test_system_auditor.py @@ -0,0 +1,39 @@ +import json +import os +import uuid + +import pytest + + +pytestmark = pytest.mark.qa # noqa: F821 + + +@pytest.mark.deployment_standalone +@pytest.mark.min_hub_version("4.10dev") +@pytest.mark.skipif( + os.getenv("ENABLE_DAB_TESTS"), + reason="Skipping test because ENABLE_DAB_TESTS is set" +) +def test_system_auditor_role_permissions_without_gateway(galaxy_client): + """Tests the galaxy.system_auditor role can be added to a user and has the right perms.""" + + gc = galaxy_client("admin", ignore_cache=True) + + # make a random user + username = str(uuid.uuid4()) + uinfo = gc.post( + "_ui/v1/users/", + body=json.dumps({"username": username, "password": "redhat1234"}) + ) + uid = uinfo["id"] + + # assign the galaxy.system_auditor role to the user + rinfo = gc.post( + f"pulp/api/v3/users/{uid}/roles/", + body=json.dumps({'content_object': None, 'role': 'galaxy.auditor'}) + ) + + # check that all the permssions are view_* only ... + for perm_code in rinfo["permissions"]: + perm_name = perm_code.split(".", 1)[1] + assert "view_" in perm_name, f"{perm_code} is not a view-only permission" From 0bbf8e0b35582729c1e85c22cd690c63a0b2392c Mon Sep 17 00:00:00 2001 From: James Tanner Date: Tue, 11 Jun 2024 06:32:11 -0400 Subject: [PATCH 9/9] Try to fix unit test. No-Issue Signed-off-by: James Tanner --- .../tests/unit/app/test_role_permissions_in_constants.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/galaxy_ng/tests/unit/app/test_role_permissions_in_constants.py b/galaxy_ng/tests/unit/app/test_role_permissions_in_constants.py index 1200544884..29830a9e4d 100644 --- a/galaxy_ng/tests/unit/app/test_role_permissions_in_constants.py +++ b/galaxy_ng/tests/unit/app/test_role_permissions_in_constants.py @@ -18,7 +18,10 @@ def test_permissions_defined_in_roles_have_description(self): 'galaxy.delete_synclist', 'galaxy.view_synclist', 'galaxy.add_synclist', - 'galaxy.change_synclist' + 'galaxy.change_synclist', + 'galaxy.view_containernamespace', + 'core.view_group', + 'auth.view_group', } constant_permissions = constant_permissions.union(ignored_permissions)