From a41b68b5226f81ce58fbcd090a44a6c62e9b9e23 Mon Sep 17 00:00:00 2001 From: Dennis Kliban Date: Tue, 16 Jan 2024 12:03:46 -0500 Subject: [PATCH] Fixes default access policies for Publications and Distributions. fixes: #3381 --- CHANGES/3381.bugfix | 1 + CHANGES/3381.feature | 1 + pulp_rpm/app/viewsets/repository.py | 9 +- .../tests/functional/api/test_rbac_crud.py | 96 +++++-------------- requirements.txt | 2 +- 5 files changed, 34 insertions(+), 75 deletions(-) create mode 100644 CHANGES/3381.bugfix create mode 100644 CHANGES/3381.feature diff --git a/CHANGES/3381.bugfix b/CHANGES/3381.bugfix new file mode 100644 index 000000000..a467ccf21 --- /dev/null +++ b/CHANGES/3381.bugfix @@ -0,0 +1 @@ +Fixes bug where RpmPublications couldn't be created when using a non-admin user. diff --git a/CHANGES/3381.feature b/CHANGES/3381.feature new file mode 100644 index 000000000..7888cb3d6 --- /dev/null +++ b/CHANGES/3381.feature @@ -0,0 +1 @@ +Raised pulpcore requirement to 3.44.1 to fix an RBAC related bug. diff --git a/pulp_rpm/app/viewsets/repository.py b/pulp_rpm/app/viewsets/repository.py index 4b4287a7b..019eae793 100644 --- a/pulp_rpm/app/viewsets/repository.py +++ b/pulp_rpm/app/viewsets/repository.py @@ -482,7 +482,8 @@ class RpmPublicationViewSet(PublicationViewSet, RolesMixin): "effect": "allow", "condition": [ "has_model_or_domain_perms:rpm.add_rpmpublication", - "has_repo_attr_model_or_domain_or_obj_perms:rpm.view_rpmrepository", + "has_repo_or_repo_ver_param_model_or_domain_or_obj_perms:" + "rpm.view_rpmrepository", ], }, { @@ -615,7 +616,8 @@ class RpmDistributionViewSet(DistributionViewSet, RolesMixin): "condition": [ "has_model_or_domain_perms:rpm.add_rpmdistribution", "has_publication_param_model_or_domain_or_obj_perms:rpm.view_rpmpublication", - "has_repo_attr_model_or_domain_or_obj_perms:rpm.view_rpmrepository", + "has_repo_or_repo_ver_param_model_or_domain_or_obj_perms:" + "rpm.view_rpmrepository", ], }, { @@ -626,7 +628,8 @@ class RpmDistributionViewSet(DistributionViewSet, RolesMixin): "has_model_or_domain_or_obj_perms:rpm.change_rpmdistribution", "has_model_or_domain_or_obj_perms:rpm.view_rpmdistribution", "has_publication_param_model_or_domain_or_obj_perms:rpm.view_rpmpublication", - "has_repo_attr_model_or_domain_or_obj_perms:rpm.view_rpmrepository", + "has_repo_or_repo_ver_param_model_or_domain_or_obj_perms:" + "rpm.view_rpmrepository", ], }, { diff --git a/pulp_rpm/tests/functional/api/test_rbac_crud.py b/pulp_rpm/tests/functional/api/test_rbac_crud.py index cf21ac410..a8347fd75 100644 --- a/pulp_rpm/tests/functional/api/test_rbac_crud.py +++ b/pulp_rpm/tests/functional/api/test_rbac_crud.py @@ -1,7 +1,7 @@ import pytest import uuid -from pulpcore.client.pulp_rpm import RpmRepositorySyncURL, RpmRpmPublication, RpmRpmDistribution +from pulpcore.client.pulp_rpm import RpmRepositorySyncURL from pulpcore.client.pulp_rpm.exceptions import ApiException from pulp_rpm.tests.functional.utils import gen_rpm_remote @@ -265,6 +265,7 @@ def test_rbac_publication( rpm_rpmremote_api, rpm_repository_api, rpm_repository_factory, + rpm_publication_factory, rpm_publication_api, monitor_task, ): @@ -272,49 +273,30 @@ def test_rbac_publication( user_creator = gen_user( model_roles=[ "rpm.rpmpublication_creator", - "rpm.rpmremote_owner", - "rpm.rpmrepository_owner", + "rpm.rpmremote_creator", + "rpm.rpmrepository_creator", ] ) user_viewer = gen_user( model_roles=[ "rpm.viewer", - "rpm.rpmremote_owner", - "rpm.rpmrepository_owner", - ] - ) - user_no = gen_user( - model_roles=[ - "rpm.rpmremote_owner", - "rpm.rpmrepository_owner", ] ) - - publication = None - remote_data = gen_rpm_remote(RPM_UNSIGNED_FIXTURE_URL) - remote = rpm_rpmremote_api.create(remote_data) - repo = rpm_repository_factory() - sync_url = RpmRepositorySyncURL(remote=remote.pulp_href) - sync_res = rpm_repository_api.sync(repo.pulp_href, sync_url) - monitor_task(sync_res.task) - repository = rpm_repository_api.read(repo.pulp_href) + user_no = gen_user(model_roles=[]) # Create with user_creator: - publish_data = RpmRpmPublication(repository=repo.pulp_href) - publish_response = rpm_publication_api.create(publish_data) - created_resources = monitor_task(publish_response.task).created_resources - publication = rpm_publication_api.read(created_resources[0]) - assert rpm_publication_api.list(repository=repository.pulp_href).count == 1 - + repo = rpm_repository_factory() + publication = rpm_publication_factory(repository=repo.pulp_href) + assert publication.repository == repo.pulp_href + pub_from_repo_version = rpm_publication_factory(repository_version=repo.latest_version_href) + assert pub_from_repo_version.repository_version == repo.latest_version_href with user_viewer, pytest.raises(ApiException) as exc: - publish_data = RpmRpmPublication(repository=repo.pulp_href) - rpm_publication_api.create(publish_data) + rpm_publication_factory(repository=repo.pulp_href) assert exc.value.status == 403 with user_no, pytest.raises(ApiException) as exc: - publish_data = RpmRpmPublication(repository=repo.pulp_href) - rpm_publication_api.create(publish_data) + rpm_publication_factory(repository=repo.pulp_href) assert exc.value.status == 403 # Remove @@ -328,12 +310,10 @@ def test_rbac_publication( with user_creator: rpm_publication_api.delete(publication.pulp_href) - res = rpm_repository_api.delete(repository.pulp_href) - monitor_task(res.task) - res = rpm_rpmremote_api.delete(remote.pulp_href) + res = rpm_repository_api.delete(repo.pulp_href) monitor_task(res.task) publications = rpm_publication_api.list().results - assert not any(p.repository != repository.pulp_href for p in publications) + assert not any(p.repository != repo.pulp_href for p in publications) @pytest.mark.parallel @@ -343,62 +323,40 @@ def test_rbac_distribution( rpm_repository_factory, rpm_rpmremote_api, rpm_publication_api, + rpm_publication_factory, rpm_distribution_api, + rpm_distribution_factory, monitor_task, ): """Test RPM distribution CRUD.""" user_creator = gen_user( model_roles=[ + "rpm.rpmrepository_creator", + "rpm.rpmpublication_creator", "rpm.rpmdistribution_creator", - "rpm.rpmpublication_owner", - "rpm.rpmremote_owner", - "rpm.rpmrepository_owner", ] ) user_viewer = gen_user( model_roles=[ "rpm.viewer", - "rpm.rpmpublication_owner", - "rpm.rpmremote_owner", - "rpm.rpmrepository_owner", - ] - ) - user_no = gen_user( - model_roles=[ - "rpm.rpmpublication_owner", - "rpm.rpmremote_owner", - "rpm.rpmrepository_owner", ] ) - - distribution = None - remote_data = gen_rpm_remote(RPM_UNSIGNED_FIXTURE_URL) - remote = rpm_rpmremote_api.create(remote_data) - repo = rpm_repository_factory() - sync_url = RpmRepositorySyncURL(remote=remote.pulp_href) - sync_res = rpm_repository_api.sync(repo.pulp_href, sync_url) - monitor_task(sync_res.task) - publish_data = RpmRpmPublication(repository=repo.pulp_href) - publish_response = rpm_publication_api.create(publish_data) - created_resources = monitor_task(publish_response.task).created_resources - publication = rpm_publication_api.read(created_resources[0]) + user_no = gen_user(model_roles=[]) # Create - dist_data = RpmRpmDistribution( - name=str(uuid.uuid4()), publication=publication.pulp_href, base_path=str(uuid.uuid4()) - ) with user_no, pytest.raises(ApiException) as exc: - rpm_distribution_api.create(dist_data) + rpm_distribution_factory(name=str(uuid.uuid4()), base_path=str(uuid.uuid4())) assert exc.value.status == 403 with user_viewer, pytest.raises(ApiException) as exc: - rpm_distribution_api.create(dist_data) + rpm_distribution_factory(name=str(uuid.uuid4()), base_path=str(uuid.uuid4())) assert exc.value.status == 403 with user_creator: - res = rpm_distribution_api.create(dist_data) - distribution = rpm_distribution_api.read(monitor_task(res.task).created_resources[0]) - assert rpm_distribution_api.list(name=distribution.name).count == 1 + repo = rpm_repository_factory() + publication = rpm_publication_factory(repository=repo.pulp_href) + distribution = rpm_distribution_factory(publication=publication.pulp_href) + assert distribution.publication == publication.pulp_href # Update dist_data_to_update = rpm_distribution_api.read(distribution.pulp_href) @@ -434,12 +392,8 @@ def test_rbac_distribution( res = rpm_repository_api.delete(repo.pulp_href) monitor_task(res.task) - res = rpm_rpmremote_api.delete(remote.pulp_href) - monitor_task(res.task) - assert rpm_distribution_api.list(name=distribution.name).count == 0 assert rpm_repository_api.list(name=repo.name).count == 0 - assert rpm_rpmremote_api.list(name=remote.name).count == 0 @pytest.mark.parallel diff --git a/requirements.txt b/requirements.txt index bb396f678..31f718817 100644 --- a/requirements.txt +++ b/requirements.txt @@ -3,6 +3,6 @@ django_readonly_field~=1.1.1 jsonschema>=4.6,<5.0 libcomps>=0.1.15.post1,<0.2 productmd~=1.33.0 -pulpcore>=3.40.1,<3.55 +pulpcore>=3.44.1,<3.55 solv~=0.7.21 aiohttp_xmlrpc~=1.5.0