Skip to content

Commit

Permalink
Merge pull request #74 from mprevide/n-del-adm-user-group
Browse files Browse the repository at this point in the history 
Delete admin user and group
  • Loading branch information
@mprevide
mprevide committed Jan 28, 2019
2 parents e909f32 + f132b1a commit 9f64080
Show file tree
Hide file tree
Showing 11 changed files with 246 additions and 67 deletions.
52 changes: 37 additions & 15 deletions auth/controller/CRUDController.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,11 +69,6 @@ def check_user(user):
if len(user['name']) > UserLimits.name:
raise HTTPRequestError(400, "Name too long")

if not user.get('profile', ""):
raise HTTPRequestError(400, "Missing profile")
if len(user['profile']) > UserLimits.profile:
raise HTTPRequestError(400, "Profile name too long")

return user


Expand All @@ -96,6 +91,11 @@ def create_user(db_session, user: User, requester):
check_user(user)
LOGGER.debug("... user data is OK.")

if not user.get('profile', ""):
raise HTTPRequestError(400, "Missing profile")
if len(user['profile']) > UserLimits.profile:
raise HTTPRequestError(400, "Profile name too long")

# Sanity checks
# Check whether username and e-mail are unique.
LOGGER.debug("Checking whether user already exist...")
Expand Down Expand Up @@ -188,7 +188,7 @@ def search_user(db_session, username: str = None) -> [User]:
:raises: HTTPRequestError if there is no users (or no such user)
currently in the database.
"""
#order the list of user by Name
# order the list of user by Name
user_query = db_session.query(User).order_by(User.name)

if username:
Expand Down Expand Up @@ -218,6 +218,7 @@ def update_user(db_session, user: str, updated_info, requester) -> (dict, str):
:return: The old information (a dictionary containing the old information about the user
and the old service.
:raises HTTPRequestError: If the username is different from the original (this field cannot be updated).
:raises HTTPRequestError: Can't edit service of the admin.
"""
# Drop invalid fields
updated_info = {k: updated_info[k] for k in updated_info if k in User.fillable}
Expand All @@ -241,6 +242,11 @@ def update_user(db_session, user: str, updated_info, requester) -> (dict, str):
log().info(f"user {user.username} updated by {requester['username']}");
log().info({'oldUser': user.safe_dict(), 'newUser': updated_info})

# the admin cant update service
if 'service' in updated_info.keys() \
and 'admin' == user.username and updated_info['service'] != 'admin':
raise HTTPRequestError(405, "Can't edit service of admin")

# Update all new data.
if 'name' in updated_info.keys():
user.name = updated_info['name']
Expand Down Expand Up @@ -273,12 +279,16 @@ def delete_user(db_session, username: str, requester):
"userid" and "username"
:return: The removed user
:raises HTTPRequestError: If the user tries to remove itself.
:raises HTTPRequestError: Can't delete the admin user.
:raises HTTPRequestError: If the user is not in the database.
"""
try:
user = User.get_by_name_or_id(username)
if user.id == requester['userid']:
raise HTTPRequestError(400, "a user can't remove himself")
elif user.username == 'admin':
raise HTTPRequestError(405, "Can't delete the admin user")

db_session.execute(
UserPermission.__table__.delete(UserPermission.user_id == user.id)
)
Expand Down Expand Up @@ -431,21 +441,25 @@ def update_perm(db_session, permission: str, perm_data, requester):
:param requester: Who is creating this user. This is a dictionary with two keys:
"userid" and "username".
:return:
:raises HTTPRequestError: Can't edit a system permission.
"""
perm_data = {k: perm_data[k] for k in perm_data if k in Permission.fillable}

check_perm(perm_data)
try:
perm = Permission.get_by_name_or_id(permission)
if 'name' in perm_data.keys() and perm.name != perm_data['name']:
raise HTTPRequestError(400, "permission name can't be changed")
for key, value in perm_data.items():
setattr(perm, key, value)
db_session.add(perm)
log().info(f"permission {perm.name} updated by {requester['username']}")
log().info(perm_data)
if perm.type == PermissionTypeEnum.api:
if 'name' in perm_data.keys() and perm.name != perm_data['name']:
raise HTTPRequestError(400, "permission name can't be changed")
for key, value in perm_data.items():
setattr(perm, key, value)
db_session.add(perm)
log().info(f"permission {perm.name} updated by {requester['username']}")
log().info(perm_data)

db_session.commit()
db_session.commit()
else:
raise HTTPRequestError(405, "Can't edit a system permission ")
except orm_exceptions.NoResultFound:
raise HTTPRequestError(404, "No permission found with this ID")

Expand All @@ -458,6 +472,7 @@ def delete_perm(db_session, permission: str, requester):
:param requester: Who is creating this user. This is a dictionary with two keys:
"userid" and "username".
:return:
:raises HTTPRequestError: Can't delete a system permission.
"""
try:
perm = Permission.get_by_name_or_id(permission)
Expand Down Expand Up @@ -527,7 +542,7 @@ def search_group(db_session, name=None):
:param name: Group name
:return:
"""
#Order by Name
# Order by Name
group_query = db_session.query(Group).order_by(Group.name)
if name:
group_query = group_query.filter(Group.name.like('%' + name + '%'))
Expand All @@ -553,6 +568,9 @@ def update_group(db_session, group, group_data, requester):
try:
group = Group.get_by_name_or_id(group)

if group.name == 'admin':
raise HTTPRequestError(405, "Can't edit admin group")

for key, value in group_data.items():
setattr(group, key, value)
db_session.add(group)
Expand All @@ -567,6 +585,10 @@ def update_group(db_session, group, group_data, requester):
def delete_group(db_session, group, requester):
try:
group = Group.get_by_name_or_id(group)

if group.name == 'admin':
raise HTTPRequestError(405, "Can't delete admin group")

db_session.execute(
GroupPermission.__table__.delete(GroupPermission.group_id == group.id)
)
Expand Down
25 changes: 12 additions & 13 deletions docs/auth.apib
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ Authenticate with the system, returning a session token to be used with API
+ Body

{
"username" : "admin",
"username" : "testadm",
"passwd" : "admin"
}

Expand Down Expand Up @@ -74,17 +74,17 @@ Lists all users known to the platform
"email": "admin@noemail.com",
"id": "1",
"name": "Admin (superuser)",
"profile": "admin",
"profile": "testadm",
"service": "admin",
"username": "admin"
"username": "testadm"
},
{
"created_by": "1",
"created_date": "2018-01-04 13:09:03.568749",
"email": "test@noemail.com",
"id": "2",
"name": "test",
"profile": "user",
"profile": "testuser",
"service": "test",
"username": "test"
}
Expand Down Expand Up @@ -114,7 +114,7 @@ Service is the token that associates the user with the set of devices and flows
"service": "test",
"email": "test@noemail.com",
"name": "test",
"profile": "user"
"profile": "testuser"
}

+ Response 200 (application/json)
Expand All @@ -126,12 +126,12 @@ Service is the token that associates the user with the set of devices and flows
"username": "test",
"service": "test",
"email": "test@noemail.com",
"profile": "user",
"profile": "testuser",
"created_date": "2018-01-04 13:09:03.568749",
"created_by": "0"
},
"groups": [
"user"
"testuser"
],
"could not add": [],
"message": "user created"
Expand Down Expand Up @@ -160,12 +160,12 @@ Retrieves all information from a specific registered user
"user": {
"created_by": "0",
"created_date": "2018-01-03 12:49:25.717374",
"email": "admin@noemail.com",
"email": "testadm@noemail.com",
"id": "1",
"name": "Admin (superuser)",
"profile": "admin",
"name": "testadm",
"profile": "testadm",
"service": "admin",
"username": "admin"
"username": "testadm"
}
}

Expand Down Expand Up @@ -193,8 +193,7 @@ Replaces user information. Fields or attributes that are not informed will rever
{
"service": "test",
"email": "test_new@noemail.com",
"name": "test",
"profile": "user"
"name": "test"
}

+ Response 200 (application/json)
Expand Down
6 changes: 3 additions & 3 deletions docs/crud-api.apib
View file
Original file line number Diff line number Diff line change
Expand Up @@ -188,15 +188,15 @@ also be escaped
### Search Groups [GET /pap/group?name={name}]

+ Parameters
+ name: admin (optional, string) - a group name, or part of a group name.
+ name: testadm (optional, string) - a group name, or part of a group name.

+ Response 200 (application/json)

{
"groups": [
{
"id" : 3,
"name" : "admin",
"name" : "testadm",
"description" : "Full privilege group"
}
]
Expand Down Expand Up @@ -243,7 +243,7 @@ also be escaped
+ Body

{
"name": "admin",
"name": "testadm",
"description" : "projectX"
}

Expand Down
8 changes: 4 additions & 4 deletions docs/report.apib
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ Endpoint to easily generate policies reports
## User direct permissions [/pap/user/{user}/directpermissions]

+ Parameters
+ user: admin (required, string) - user being requested.
+ user: testadm (required, string) - user being requested.


### Retrieve user direct permissions [GET]
Expand Down Expand Up @@ -44,7 +44,7 @@ Endpoint to easily generate policies reports
## All user permissions [/pap/user/{user}/allpermissions]

+ Parameters
+ user: admin (required, string) - user being requested.
+ user: testadm (required, string) - user being requested.

### Retrieve all user permissions [GET]

Expand Down Expand Up @@ -78,7 +78,7 @@ Endpoint to easily generate policies reports
## User groups [/pap/user/{user}/groups]

+ Parameters
+ user: admin (required, string) - user being requested.
+ user: testadm (required, string) - user being requested.

### Retrieve all user groups [GET]

Expand All @@ -92,7 +92,7 @@ Endpoint to easily generate policies reports
},
{
"id" : 4,
"name" : "admin"
"name" : "testadm"
}
]
}
Expand Down
Empty file added saida.txt
View file
Empty file.
10 changes: 5 additions & 5 deletions tests/dredd-hooks/auth_hook.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,11 +17,11 @@ def create_sample_users(transaction):
group_id = create_sample_groups(transaction)

user = {
"name": "admin",
"username": "admin",
"name": "testadm",
"username": "testadm",
"service": "admin",
"email": "admin@noemail.com",
"profile": "admin"
"email": "testadm@noemail.com",
"profile": "testadm"
}
requester = {
"userid": 0,
Expand All @@ -42,7 +42,7 @@ def create_sample_users(transaction):
"username": "test",
"service": "test",
"email": "test@noemail.com",
"profile": "user"
"profile": "testuser"
}

try:
Expand Down
30 changes: 10 additions & 20 deletions tests/dredd-hooks/clear_data_hook.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,76 +4,66 @@
from database.flaskAlchemyInit import db
from database.flaskAlchemyInit import HTTPRequestError

from database.flaskAlchemyInit import log


@hooks.before_all
def auth_clear_permissions_and_groups(transaction):
requester = {
"userid": 0,
"username": "dredd"
}
log().info(">>>>>>> Limpando cenario para proxima execucao...")
try:
users = crud.search_user(db.session, None)
# Delete all users
for user in users:
crud.delete_user(db.session, user.username, requester)
if user.username != 'admin':
crud.delete_user(db.session, user.username, requester)
except HTTPRequestError:
pass

try:
permissions = crud.search_perm(db.session)
log().info(">>>>>>> Removendo permissao: ")
for permission in permissions:
log().info(">>>>>>> Permissao: " + permission.name + ", tipo: " + permission.type.value)
if permission.type != PermissionTypeEnum.system:
crud.delete_perm(db.session, permission.name, requester)
except HTTPRequestError as e:
log().error(">>>>> Excecao durante remocao de permissao: " + e)
# pass
pass

try:
groups = crud.search_group(db.session)
for group in groups:
crud.delete_group(db.session, group.name, requester)
if group.name != 'admin':
crud.delete_group(db.session, group.name, requester)
except HTTPRequestError as e:
pass

log().info(">>>>>>> ... cenario foi limpo.")


@hooks.after_each
def auth_clear_everything_hook(transaction):
requester = {
"userid": 0,
"username": "dredd"
}
log().info(">>>>>>> Limpando cenario apos execucao de caso de teste...")
try:
users = crud.search_user(db.session, None)
# Delete all users
for user in users:
crud.delete_user(db.session, user.username, requester)
if user.username != 'admin':
crud.delete_user(db.session, user.username, requester)
except HTTPRequestError:
pass

try:
permissions = crud.search_perm(db.session)
log().info(">>>>>>> Removendo permissao: ")
for permission in permissions:
log().info(">>>>>>> Permissao: " + permission.name + ", tipo: " + permission.type.value)
if permission.type != PermissionTypeEnum.system:
crud.delete_perm(db.session, permission.name, requester)
except HTTPRequestError as e:
log().error(">>>>> Excecao durante remocao de permissao: " + e)
# pass
pass

try:
groups = crud.search_group(db.session)
for group in groups:
crud.delete_group(db.session, group.name, requester)
if group.name != 'admin':
crud.delete_group(db.session, group.name, requester)
except HTTPRequestError as e:
pass

log().info(">>>>>>> ... cenario foi limpo apos execucao de caso de teste.")

0 comments on commit 9f64080

Please sign in to comment.