Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable social auth users to see other users. #1934

Merged
merged 12 commits into from
Oct 16, 2023
1 change: 1 addition & 0 deletions CHANGES/2781.bugfix
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Allow all authenticated users to list and retrieve other users when using github social auth.
17 changes: 17 additions & 0 deletions galaxy_ng/app/access_control/access_policy.py
Original file line number Diff line number Diff line change
Expand Up @@ -281,6 +281,23 @@ def v3_can_destroy_collections(self, request, view, action):
return True
return False

def v3_can_view_users(self, request, view, action):
"""
Community galaxy users need to be able to see one-another,
so that they can grant eachother access to their namespaces.
"""
SOCIAL_AUTH_GITHUB_KEY = settings.get("SOCIAL_AUTH_GITHUB_KEY", default=None)
SOCIAL_AUTH_GITHUB_SECRET = settings.get("SOCIAL_AUTH_GITHUB_SECRET", default=None)
is_github_social_auth = all([SOCIAL_AUTH_GITHUB_KEY, SOCIAL_AUTH_GITHUB_SECRET])

if is_github_social_auth:
return True

if request.user.has_perm('galaxy.view_user'):
return True

return False

def has_ansible_repo_perms(self, request, view, action, permission):
"""
Check if the user has model or object-level permissions
Expand Down
4 changes: 2 additions & 2 deletions galaxy_ng/app/access_control/statements/standalone.py
Original file line number Diff line number Diff line change
Expand Up @@ -198,13 +198,13 @@
"action": ["list"],
"principal": "authenticated",
"effect": "allow",
"condition": "has_model_perms:galaxy.view_user"
"condition": ["v3_can_view_users"],
},
{
"action": ["retrieve"],
"principal": "authenticated",
"effect": "allow",
"condition": "has_model_perms:galaxy.view_user"
"condition": ["v3_can_view_users"],
},
{
"action": "destroy",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -570,3 +570,28 @@ def test_community_social_v3_namespace_sorting(ansible_config):
# https://issues.redhat.com/browse/AAH-2729
# social auth code was trying to sort namespaces ...
pass


@pytest.mark.deployment_community
def test_social_auth_access_api_ui_v1_users(ansible_config):
# https://issues.redhat.com/browse/AAH-2781

username = "foo1234"
default_cfg = extract_default_config(ansible_config)

ga = GithubAdminClient()
ga.delete_user(login=username)

user_c = ga.create_user(login=username, email="[email protected]")
user_c.update(default_cfg)
user_c['username'] = username

with SocialGithubClient(config=user_c) as client:
users_resp = client.get('_ui/v1/users/')
assert users_resp.status_code == 200

# try to fetch each user ..
for udata in users_resp.json()['data']:
uid = udata['id']
user_resp = client.get(f'_ui/v1/users/{uid}/')
assert user_resp.status_code == 200
44 changes: 32 additions & 12 deletions galaxy_ng/tests/unit/api/test_api_ui_user_viewsets.py
Original file line number Diff line number Diff line change
Expand Up @@ -130,39 +130,50 @@ def test_user_can_create_users_with_right_perms(self):
self.assertEqual(response.status_code, status.HTTP_201_CREATED)

def test_user_list(self):
def _test_user_list():
def _test_user_list(expected=None):
# Check test user can[not] view other users
self.client.force_authenticate(user=self.user)
log.debug("self.client: %s", self.client)
log.debug("self.client.__dict__: %s", self.client.__dict__)
response = self.client.get(self.user_url)
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
self.assertEqual(response.status_code, expected)

# Check admin user can -always- view others
self.client.force_authenticate(user=self.admin_user)
response = self.client.get(self.user_url)
self.assertEqual(response.status_code, status.HTTP_200_OK)
data = response.data["data"]
self.assertEqual(len(data), auth_models.User.objects.all().count())

with self.settings(GALAXY_DEPLOYMENT_MODE=DeploymentMode.STANDALONE.value):
_test_user_list()
_test_user_list(expected=status.HTTP_403_FORBIDDEN)

with self.settings(GALAXY_DEPLOYMENT_MODE=DeploymentMode.INSIGHTS.value):
_test_user_list()
_test_user_list(expected=status.HTTP_403_FORBIDDEN)

# community
kwargs = {
'GALAXY_DEPLOYMENT_MODE': DeploymentMode.STANDALONE.value,
'SOCIAL_AUTH_GITHUB_KEY': '1234',
'SOCIAL_AUTH_GITHUB_SECRET': '1234'
}
with self.settings(**kwargs):
_test_user_list(expected=status.HTTP_200_OK)

def test_user_get(self):
def _test_user_get():
# Check test user cannot view themselves on the users/ api
def _test_user_get(expected=None):
# Check test user can[not] view themselves on the users/ api
self.client.force_authenticate(user=self.user)
url = "{}{}/".format(self.user_url, self.user.id)
response = self.client.get(url)
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
self.assertEqual(response.status_code, expected)

# Check test user cannot view other users
# Check test user can[not] view other users
url = "{}{}/".format(self.user_url, self.admin_user.id)
response = self.client.get(url)
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
self.assertEqual(response.status_code, expected)

# Check admin user can view others
# Check admin user can -always- view others
self.client.force_authenticate(user=self.admin_user)
url = "{}{}/".format(self.user_url, self.user.id)
response = self.client.get(url)
Expand All @@ -175,10 +186,19 @@ def _test_user_get():
self.assertTrue(self.user.groups.exists(id=group["id"]))

with self.settings(GALAXY_DEPLOYMENT_MODE=DeploymentMode.STANDALONE.value):
_test_user_get()
_test_user_get(expected=status.HTTP_403_FORBIDDEN)

with self.settings(GALAXY_DEPLOYMENT_MODE=DeploymentMode.INSIGHTS.value):
_test_user_get()
_test_user_get(expected=status.HTTP_403_FORBIDDEN)

# community
kwargs = {
'GALAXY_DEPLOYMENT_MODE': DeploymentMode.STANDALONE.value,
'SOCIAL_AUTH_GITHUB_KEY': '1234',
'SOCIAL_AUTH_GITHUB_SECRET': '1234'
}
with self.settings(**kwargs):
_test_user_get(expected=status.HTTP_200_OK)

def _test_create_or_update(self, method_call, url, new_user_data, crud_status, auth_user):
self.client.force_authenticate(user=auth_user)
Expand Down
Loading