Updated tests and track user assigned role

galaxyproject · Jul 16, 2020 · e79c340 · e79c340
1 parent 7dcd940
commit e79c340
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 15 deletions.
diff --git a/cloudman/cloudman/settings.py b/cloudman/cloudman/settings.py
@@ -47,7 +47,7 @@
 if OIDC_ENABLED:
     LOGIN_URL = "/openid/openid/KeyCloak"
     LOGOUT_URL = "/openid/logout"
-    LOAD_USER_ROLES = 'projman.rules.load_oidc_roles'
+    LOAD_USER_ROLES = 'projman.rules.assign_oidc_roles'
     configure_oidc(auth_uri, client_id, public_uri)  # NOTE: scope is optional and can be left out
 else:
     OIDC_PROVIDERS = {}

diff --git a/cloudman/projman/rules.py b/cloudman/projman/rules.py
@@ -1,19 +1,20 @@
-from django.contrib.auth.models import Permission, User
+from django.contrib.auth.models import Group
 
 import rules
 
-
-# called by boss-oidc to process JWT user roles
-def load_oidc_roles(user, roles):
+# Called by boss-oidc to process JWT user roles
+# This function should be in a separate module, but leaving it here for now
+def assign_oidc_roles(user, roles):
     """Default implementation of the LOAD_USER_ROLES callback
     Args:
         user (UserModel): Django user object for the user logging in
         roles (list[str]): List of Keycloak roles assigned to the user
                            Note: Contains both realm roles and client roles
     """
     for role in roles:
-        perm = Permission.objects.get_or_create(codename=role + "-admin")
-        user.user_permissions.add(perm)
+        group, _ = Group.objects.get_or_create(name=f"{role}-admin")
+        user.groups.add(group)
+        user.save()
 
 # Delegate to keycloak in future iteration
 
@@ -22,7 +23,7 @@ def load_oidc_roles(user, roles):
 def is_project_owner(user, project):
     if not project:
         return False
-    return project.owner == user or user.has_perm(f'projman-{project.namespace}-admin')
+    return project.owner == user or rules.is_group_member(f'projman-{project.namespace}-admin')(user)
 
 
 @rules.predicate

diff --git a/cloudman/projman/tests/test_project_api.py b/cloudman/projman/tests/test_project_api.py
@@ -13,6 +13,8 @@
 from helmsman.tests import HelmsManServiceTestBase
 from helmsman import helpers as hm_helpers
 
+from projman import rules
+
 
 # Create your tests here.
 class ProjManManServiceTestBase(HelmsManServiceTestBase):
@@ -117,10 +119,11 @@ def test_delete_unauthorized(self):
         self._check_no_projects_exist()
 
     def test_can_view_shared_project(self):
-        self._create_project()
+        response = self._create_project()
         project_id_then = self._list_project()
-        self.client.force_login(
-            User.objects.get_or_create(username='notaprojadmin', is_staff=False)[0])
+        non_admin = User.objects.get_or_create(username='notaprojadmin', is_staff=False)[0]
+        self.client.force_login(non_admin)
+        rules.assign_oidc_roles(non_admin, ["projman-" + response.data['namespace']])
         project_id_now = self._list_project()
         assert project_id_now  # should be visible
         assert project_id_then == project_id_now  # should be the same project
@@ -255,7 +258,7 @@ def _check_no_project_charts_exist(self, project_id):
         response = self.client.get(url)
         self.assertEqual(response.status_code, status.HTTP_200_OK)
         # There's always the default projman chart, so ignore that
-        self.assertEqual(len(response.data['results']), 1)
+        self.assertLessEqual(len(response.data['results']), 1)
 
     def _update_project_chart(self, project_id, chart_id):
         url = reverse('projman:chart-detail', args=[project_id, chart_id])

diff --git a/cloudman/projman/views.py b/cloudman/projman/views.py
@@ -1,7 +1,8 @@
 """ProjMan Create views."""
 from rest_framework.views import APIView
+from rest_framework.exceptions import PermissionDenied
 from rest_framework.response import Response
-from rest_framework.permissions import IsAuthenticated, IsAdminUser
+from rest_framework.permissions import IsAuthenticated
 
 from djcloudbridge import drf_helpers
 from . import serializers
@@ -43,8 +44,11 @@ class ProjectChartViewSet(drf_helpers.CustomModelViewSet):
     serializer_class = serializers.PMProjectChartSerializer
 
     def list_objects(self):
-        project = ProjManAPI.from_request(self.request).projects.get(
-            self.kwargs["project_pk"])
+        try:
+            project = ProjManAPI.from_request(self.request).projects.get(
+                self.kwargs["project_pk"])
+        except PermissionDenied:
+            project = None
         if project:
             return project.charts.list()
         else: