outposts: add tests for permissions

2020-09-14 17:34:07 +02:00 · 2020-09-14 17:34:07 +02:00 · 501683e3cb
parent cc8afa8706
commit 501683e3cb
3 changed files with 71 additions and 7 deletions
--- a/passbook/core/templates/base/skeleton.html
+++ b/passbook/core/templates/base/skeleton.html
@ -6,8 +6,8 @@

 <html lang="en">
    <head>
-        <link rel="preload" href="{% static 'passbook/fonts/DINEngschriftStd.woff2' %}" as="font" type="font/woff2">
-        <link rel="preload" href="{% static 'passbook/fonts/DINEngschriftStd.woff' %}" as="font" type="font/woff">
+        <link rel="preload" href="{% static 'passbook/fonts/DINEngschriftStd.woff2' %}" as="font" type="font/woff2" crossorigin>
+        <link rel="preload" href="{% static 'passbook/fonts/DINEngschriftStd.woff' %}" as="font" type="font/woff" crossorigin>
        <meta charset="UTF-8">
        <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
        <title>{% block title %}{% trans title|default:config.passbook.branding.title %}{% endblock %}</title>
--- a/passbook/outposts/models.py
+++ b/passbook/outposts/models.py
@ -7,9 +7,10 @@ from uuid import uuid4
 from dacite import from_dict
 from django.contrib.postgres.fields import ArrayField
 from django.core.cache import cache
-from django.db import models
+from django.db import models, transaction
 from django.db.models.base import Model
 from django.utils.translation import gettext_lazy as _
+from guardian.models import UserObjectPermission
 from guardian.shortcuts import assign_perm

 from passbook.core.models import Provider, Token, TokenIntents, User
@ -114,10 +115,13 @@ class Outpost(models.Model):
            user.save()
        else:
            user = users.first()
-        for model in self.get_required_objects():
-            assign_perm(
-                f"{model._meta.app_label}.view_{model._meta.model_name}", user, model
-            )
+        # To ensure the user only has the correct permissions, we delete all of them and re-add
+        # the ones the user needs
+        with transaction.atomic():
+            UserObjectPermission.objects.filter(user=user).delete()
+            for model in self.get_required_objects():
+                code_name = f"{model._meta.app_label}.view_{model._meta.model_name}"
+                assign_perm(code_name, user, model)
        return user

    @property
--- a/passbook/outposts/tests.py
+++ b/passbook/outposts/tests.py
@ -0,0 +1,60 @@
+"""outpost tests"""
+from django.test import TestCase
+from guardian.models import UserObjectPermission
+
+from passbook.crypto.models import CertificateKeyPair
+from passbook.flows.models import Flow
+from passbook.outposts.models import Outpost, OutpostDeploymentType, OutpostType
+from passbook.providers.proxy.models import ProxyProvider
+
+
+class OutpostTests(TestCase):
+    """Outpost Tests"""
+
+    def test_service_account_permissions(self):
+        """Test that the service account has correct permissions"""
+        provider: ProxyProvider = ProxyProvider.objects.create(
+            name="test",
+            internal_host="http://localhost",
+            external_host="http://localhost",
+            authorization_flow=Flow.objects.first(),
+        )
+        outpost: Outpost = Outpost.objects.create(
+            name="test",
+            type=OutpostType.PROXY,
+            deployment_type=OutpostDeploymentType.CUSTOM,
+        )
+
+        # Before we add a provider, the user should only have access to the outpost
+        permissions = UserObjectPermission.objects.filter(user=outpost.user)
+        self.assertEqual(len(permissions), 1)
+        self.assertEqual(permissions[0].object_pk, str(outpost.pk))
+
+        # We add a provider, user should only have access to outpost and provider
+        outpost.providers.add(provider)
+        outpost.save()
+        permissions = UserObjectPermission.objects.filter(user=outpost.user).order_by(
+            "content_type__model"
+        )
+        self.assertEqual(len(permissions), 2)
+        self.assertEqual(permissions[0].object_pk, str(outpost.pk))
+        self.assertEqual(permissions[1].object_pk, str(provider.pk))
+
+        # Provider requires a certificate-key-pair, user should have permissions for it
+        keypair = CertificateKeyPair.objects.first()
+        provider.certificate = keypair
+        provider.save()
+        permissions = UserObjectPermission.objects.filter(user=outpost.user).order_by(
+            "content_type__model"
+        )
+        self.assertEqual(len(permissions), 3)
+        self.assertEqual(permissions[0].object_pk, str(keypair.pk))
+        self.assertEqual(permissions[1].object_pk, str(outpost.pk))
+        self.assertEqual(permissions[2].object_pk, str(provider.pk))
+
+        # Remove provider from outpost, user should only have access to outpost
+        outpost.providers.remove(provider)
+        outpost.save()
+        permissions = UserObjectPermission.objects.filter(user=outpost.user)
+        self.assertEqual(len(permissions), 1)
+        self.assertEqual(permissions[0].object_pk, str(outpost.pk))