From 501683e3cba251e602fb4bd58254ec3db6a2f2f3 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Mon, 14 Sep 2020 17:34:07 +0200 Subject: [PATCH] outposts: add tests for permissions --- passbook/core/templates/base/skeleton.html | 4 +- passbook/outposts/models.py | 14 +++-- passbook/outposts/tests.py | 60 ++++++++++++++++++++++ 3 files changed, 71 insertions(+), 7 deletions(-) create mode 100644 passbook/outposts/tests.py diff --git a/passbook/core/templates/base/skeleton.html b/passbook/core/templates/base/skeleton.html index 303dbffd7..68f9c158e 100644 --- a/passbook/core/templates/base/skeleton.html +++ b/passbook/core/templates/base/skeleton.html @@ -6,8 +6,8 @@ - - + + {% block title %}{% trans title|default:config.passbook.branding.title %}{% endblock %} diff --git a/passbook/outposts/models.py b/passbook/outposts/models.py index b461838d7..9ebd90bc9 100644 --- a/passbook/outposts/models.py +++ b/passbook/outposts/models.py @@ -7,9 +7,10 @@ from uuid import uuid4 from dacite import from_dict from django.contrib.postgres.fields import ArrayField from django.core.cache import cache -from django.db import models +from django.db import models, transaction from django.db.models.base import Model from django.utils.translation import gettext_lazy as _ +from guardian.models import UserObjectPermission from guardian.shortcuts import assign_perm from passbook.core.models import Provider, Token, TokenIntents, User @@ -114,10 +115,13 @@ class Outpost(models.Model): user.save() else: user = users.first() - for model in self.get_required_objects(): - assign_perm( - f"{model._meta.app_label}.view_{model._meta.model_name}", user, model - ) + # To ensure the user only has the correct permissions, we delete all of them and re-add + # the ones the user needs + with transaction.atomic(): + UserObjectPermission.objects.filter(user=user).delete() + for model in self.get_required_objects(): + code_name = f"{model._meta.app_label}.view_{model._meta.model_name}" + assign_perm(code_name, user, model) return user @property diff --git a/passbook/outposts/tests.py b/passbook/outposts/tests.py new file mode 100644 index 000000000..18675e4c0 --- /dev/null +++ b/passbook/outposts/tests.py @@ -0,0 +1,60 @@ +"""outpost tests""" +from django.test import TestCase +from guardian.models import UserObjectPermission + +from passbook.crypto.models import CertificateKeyPair +from passbook.flows.models import Flow +from passbook.outposts.models import Outpost, OutpostDeploymentType, OutpostType +from passbook.providers.proxy.models import ProxyProvider + + +class OutpostTests(TestCase): + """Outpost Tests""" + + def test_service_account_permissions(self): + """Test that the service account has correct permissions""" + provider: ProxyProvider = ProxyProvider.objects.create( + name="test", + internal_host="http://localhost", + external_host="http://localhost", + authorization_flow=Flow.objects.first(), + ) + outpost: Outpost = Outpost.objects.create( + name="test", + type=OutpostType.PROXY, + deployment_type=OutpostDeploymentType.CUSTOM, + ) + + # Before we add a provider, the user should only have access to the outpost + permissions = UserObjectPermission.objects.filter(user=outpost.user) + self.assertEqual(len(permissions), 1) + self.assertEqual(permissions[0].object_pk, str(outpost.pk)) + + # We add a provider, user should only have access to outpost and provider + outpost.providers.add(provider) + outpost.save() + permissions = UserObjectPermission.objects.filter(user=outpost.user).order_by( + "content_type__model" + ) + self.assertEqual(len(permissions), 2) + self.assertEqual(permissions[0].object_pk, str(outpost.pk)) + self.assertEqual(permissions[1].object_pk, str(provider.pk)) + + # Provider requires a certificate-key-pair, user should have permissions for it + keypair = CertificateKeyPair.objects.first() + provider.certificate = keypair + provider.save() + permissions = UserObjectPermission.objects.filter(user=outpost.user).order_by( + "content_type__model" + ) + self.assertEqual(len(permissions), 3) + self.assertEqual(permissions[0].object_pk, str(keypair.pk)) + self.assertEqual(permissions[1].object_pk, str(outpost.pk)) + self.assertEqual(permissions[2].object_pk, str(provider.pk)) + + # Remove provider from outpost, user should only have access to outpost + outpost.providers.remove(provider) + outpost.save() + permissions = UserObjectPermission.objects.filter(user=outpost.user) + self.assertEqual(len(permissions), 1) + self.assertEqual(permissions[0].object_pk, str(outpost.pk))