#2019 log --force usage by admins
Merged 2 years ago by tkopecek. Opened 2 years ago by tkopecek.
tkopecek/koji issue1930  into  master

file modified
+29
@@ -993,6 +993,10 @@ 

          # don't check policy for admins using force

          if not (force and context.session.hasPerm('admin')):

              assert_policy('package_list', policy_data)

+         else:

+             pkg_name = pkg and pkg['name'] or pkginfo

+             logger.info("Package list add %s/%s policy overriden by %s" % (

+                 tag['name'], pkg_name, context.session.user_data['name']))

      if not pkg:

          pkg = lookup_package(pkginfo, create=True)

      # validate arches before running callbacks
@@ -1073,6 +1077,10 @@ 

          # don't check policy for admins using force

          if not (force and context.session.hasPerm('admin')):

              assert_policy('package_list', policy_data)

+         else:

+             logger.info("Package list %s/%s remove policy overriden by %s" % (

+                 tag['name'], pkg['name'], context.session.user_data['name']))

+ 

      user = get_user(context.session.user_id)

      koji.plugin.run_callbacks(

          'prePackageListChange', action='remove', tag=tag, package=pkg, user=user)
@@ -1105,6 +1113,9 @@ 

      # don't check policy for admins using force

      if not (force and context.session.hasPerm('admin')):

          assert_policy('package_list', policy_data)

+     else:

+         logger.info("Package list %s/%s unblock policy overriden by %s" % (

+             tag['name'], pkg['name'], context.session.user_data['name']))

      user = get_user(context.session.user_id)

      koji.plugin.run_callbacks(

          'prePackageListChange', action='unblock', tag=tag, package=pkg, user=user)
@@ -10619,6 +10630,8 @@ 

          if pkg_error:

              if force and context.session.hasPerm('admin'):

                  pkglist_add(tag_id, pkg_id, force=True, block=False)

+                 logger.info("Package add policy %s/%s overriden by %s" % (

+                     tag['name'], build['nvr'], context.session.user_data['name']))

              else:

                  raise koji.TagError(pkg_error)

          # tag policy check
@@ -10631,6 +10644,9 @@ 

          if not (force and context.session.hasPerm('admin')):

              assert_policy('tag', policy_data)

              # XXX - we're running this check twice, here and in host.tagBuild (called by the task)

+         else:

+             logger.info("Tag policy %s/%s overriden by %s" % (

+                 tag['name'], build['nvr'], context.session.user_data['name']))

          # spawn the tagging task

          return make_task('tagBuild', [tag_id, build_id, force, fromtag_id], priority=10)

  
@@ -10650,6 +10666,9 @@ 

              # don't check policy for admins using force

              if not (force and context.session.hasPerm('admin')):

                  assert_policy('tag', policy_data)

+             else:

+                 logger.info("Untag policy %s/%s overriden by %s" % (

+                     tag, build, context.session.user_data['name']))

              _untag_build(tag, build, strict=strict, force=force)

              tag_notification(True, None, tag, build, user_id)

          except Exception:
@@ -10705,6 +10724,8 @@ 

          if pkg_error:

              if force and context.session.hasPerm('admin'):

                  pkglist_add(tag2_id, pkg_id, force=True, block=False)

+                 logger.info("Package list policy %s/%s overriden by %s" % (

+                     tag2, package, context.session.user_data['name']))

              else:

                  raise koji.TagError(pkg_error)

  
@@ -10725,6 +10746,9 @@ 

                  assert_policy('tag', policy_data)

                  # XXX - we're running this check twice, here and in host.tagBuild (called by the

                  # task)

+         else:

+             logger.info("Tag move policy %s/%s overriden by %s" % (

+                 tag2, package, context.session.user_data['name']))

  

          wait_on = []

          tasklist = []
@@ -13896,6 +13920,9 @@ 

          perms = koji.auth.get_user_perms(user_id)

          if not force or 'admin' not in perms:

              assert_policy('tag', policy_data)

+         if force and 'admin' in perms:

+             logger.info("Tag build %s/%s policy overriden by %s" % (

+                 tag, build['nvr'], context.session.user_data['name']))

          # package list check

          pkgs = readPackageList(tagID=tag_id, pkgID=pkg_id, inherit=True)

          pkg_error = None
@@ -13906,6 +13933,8 @@ 

          if pkg_error:

              if force and context.session.hasPerm('admin'):

                  pkglist_add(tag_id, pkg_id, force=True, block=False)

+                 logger.info("Package added %s/%s by %s" % (

+                     tag, build['nvr'], context.session.user_data['name']))

              else:

                  raise koji.TagError(pkg_error)

          # do the actual work now

@@ -28,6 +28,7 @@ 

          # start with "assert"

          self.context.session.assertLogin = mock.MagicMock()

          self.context.session.user_id = 112233

+         self.context.session.user_data = {'name': 'username'}

          self.run_callbacks = mock.patch('koji.plugin.run_callbacks').start()

  

      def tearDown(self):

Log everything related to package listing and build tagging done by
admin users via --force flag.

Fixes: https://pagure.io/koji/issue/1930

rebased onto 3906eaa052fe60eb7326b0ab35b750449797c823

2 years ago

I don't know if we want to require folks needing #1930 to crank logging up to DEBUG.

Overrides are hypothetically rare, but I guess in a mass tagging operation they might not be.

@mikem - other option is plugin hook + message via proton or mail. Anything else?

Or dou you mean just upgrading to INFO? (done)

rebased onto c1a4b5edd5b239c763dd30c38c3fdb14a20b7497

2 years ago

just upgrading to INFO?

yeah, that's what I was getting at. thanks :smile:

Metadata Update from @tkopecek:
- Pull-request tagged with: testing-ready

2 years ago

rebased onto ad0fb66

2 years ago

1 new commit added

  • fix logging package name
2 years ago

Metadata Update from @jcupova:
- Pull-request tagged with: testing-done

2 years ago

Commit 336c3ba fixes this pull-request

Pull-Request has been merged by tkopecek

2 years ago

pretty please pagure-ci rebuild

2 years ago