Skip to content

Commit

Permalink
Enable social auth users to see other users. (#1934)
Browse files Browse the repository at this point in the history
Add a custom condition function to detect if using github social auth and then always allow user list and retrieve.

Issue: AAH-2781

Signed-off-by: James Tanner <[email protected]>
  • Loading branch information
jctanner authored Oct 16, 2023
1 parent 82fde17 commit 67bf324
Show file tree
Hide file tree
Showing 5 changed files with 77 additions and 14 deletions.
1 change: 1 addition & 0 deletions CHANGES/2781.bugfix
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Allow all authenticated users to list and retrieve other users when using github social auth.
17 changes: 17 additions & 0 deletions galaxy_ng/app/access_control/access_policy.py
Original file line number Diff line number Diff line change
Expand Up @@ -281,6 +281,23 @@ def v3_can_destroy_collections(self, request, view, action):
return True
return False

def v3_can_view_users(self, request, view, action):
"""
Community galaxy users need to be able to see one-another,
so that they can grant eachother access to their namespaces.
"""
SOCIAL_AUTH_GITHUB_KEY = settings.get("SOCIAL_AUTH_GITHUB_KEY", default=None)
SOCIAL_AUTH_GITHUB_SECRET = settings.get("SOCIAL_AUTH_GITHUB_SECRET", default=None)
is_github_social_auth = all([SOCIAL_AUTH_GITHUB_KEY, SOCIAL_AUTH_GITHUB_SECRET])

if is_github_social_auth:
return True

if request.user.has_perm('galaxy.view_user'):
return True

return False

def has_ansible_repo_perms(self, request, view, action, permission):
"""
Check if the user has model or object-level permissions
Expand Down
4 changes: 2 additions & 2 deletions galaxy_ng/app/access_control/statements/standalone.py
Original file line number Diff line number Diff line change
Expand Up @@ -198,13 +198,13 @@
"action": ["list"],
"principal": "authenticated",
"effect": "allow",
"condition": "has_model_perms:galaxy.view_user"
"condition": ["v3_can_view_users"],
},
{
"action": ["retrieve"],
"principal": "authenticated",
"effect": "allow",
"condition": "has_model_perms:galaxy.view_user"
"condition": ["v3_can_view_users"],
},
{
"action": "destroy",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -570,3 +570,28 @@ def test_community_social_v3_namespace_sorting(ansible_config):
# https://issues.redhat.com/browse/AAH-2729
# social auth code was trying to sort namespaces ...
pass


@pytest.mark.deployment_community
def test_social_auth_access_api_ui_v1_users(ansible_config):
# https://issues.redhat.com/browse/AAH-2781

username = "foo1234"
default_cfg = extract_default_config(ansible_config)

ga = GithubAdminClient()
ga.delete_user(login=username)

user_c = ga.create_user(login=username, email="[email protected]")
user_c.update(default_cfg)
user_c['username'] = username

with SocialGithubClient(config=user_c) as client:
users_resp = client.get('_ui/v1/users/')
assert users_resp.status_code == 200

# try to fetch each user ..
for udata in users_resp.json()['data']:
uid = udata['id']
user_resp = client.get(f'_ui/v1/users/{uid}/')
assert user_resp.status_code == 200
44 changes: 32 additions & 12 deletions galaxy_ng/tests/unit/api/test_api_ui_user_viewsets.py
Original file line number Diff line number Diff line change
Expand Up @@ -130,39 +130,50 @@ def test_user_can_create_users_with_right_perms(self):
self.assertEqual(response.status_code, status.HTTP_201_CREATED)

def test_user_list(self):
def _test_user_list():
def _test_user_list(expected=None):
# Check test user can[not] view other users
self.client.force_authenticate(user=self.user)
log.debug("self.client: %s", self.client)
log.debug("self.client.__dict__: %s", self.client.__dict__)
response = self.client.get(self.user_url)
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
self.assertEqual(response.status_code, expected)

# Check admin user can -always- view others
self.client.force_authenticate(user=self.admin_user)
response = self.client.get(self.user_url)
self.assertEqual(response.status_code, status.HTTP_200_OK)
data = response.data["data"]
self.assertEqual(len(data), auth_models.User.objects.all().count())

with self.settings(GALAXY_DEPLOYMENT_MODE=DeploymentMode.STANDALONE.value):
_test_user_list()
_test_user_list(expected=status.HTTP_403_FORBIDDEN)

with self.settings(GALAXY_DEPLOYMENT_MODE=DeploymentMode.INSIGHTS.value):
_test_user_list()
_test_user_list(expected=status.HTTP_403_FORBIDDEN)

# community
kwargs = {
'GALAXY_DEPLOYMENT_MODE': DeploymentMode.STANDALONE.value,
'SOCIAL_AUTH_GITHUB_KEY': '1234',
'SOCIAL_AUTH_GITHUB_SECRET': '1234'
}
with self.settings(**kwargs):
_test_user_list(expected=status.HTTP_200_OK)

def test_user_get(self):
def _test_user_get():
# Check test user cannot view themselves on the users/ api
def _test_user_get(expected=None):
# Check test user can[not] view themselves on the users/ api
self.client.force_authenticate(user=self.user)
url = "{}{}/".format(self.user_url, self.user.id)
response = self.client.get(url)
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
self.assertEqual(response.status_code, expected)

# Check test user cannot view other users
# Check test user can[not] view other users
url = "{}{}/".format(self.user_url, self.admin_user.id)
response = self.client.get(url)
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
self.assertEqual(response.status_code, expected)

# Check admin user can view others
# Check admin user can -always- view others
self.client.force_authenticate(user=self.admin_user)
url = "{}{}/".format(self.user_url, self.user.id)
response = self.client.get(url)
Expand All @@ -175,10 +186,19 @@ def _test_user_get():
self.assertTrue(self.user.groups.exists(id=group["id"]))

with self.settings(GALAXY_DEPLOYMENT_MODE=DeploymentMode.STANDALONE.value):
_test_user_get()
_test_user_get(expected=status.HTTP_403_FORBIDDEN)

with self.settings(GALAXY_DEPLOYMENT_MODE=DeploymentMode.INSIGHTS.value):
_test_user_get()
_test_user_get(expected=status.HTTP_403_FORBIDDEN)

# community
kwargs = {
'GALAXY_DEPLOYMENT_MODE': DeploymentMode.STANDALONE.value,
'SOCIAL_AUTH_GITHUB_KEY': '1234',
'SOCIAL_AUTH_GITHUB_SECRET': '1234'
}
with self.settings(**kwargs):
_test_user_get(expected=status.HTTP_200_OK)

def _test_create_or_update(self, method_call, url, new_user_data, crud_status, auth_user):
self.client.force_authenticate(user=auth_user)
Expand Down

0 comments on commit 67bf324

Please sign in to comment.