PR#4054: Implement Pagure Git Auth - pagure

pagure

#4054 Implement Pagure Git Auth

Merged 5 years ago by pingou. Opened 5 years ago by puiterwijk.

puiterwijk/pagure pagureacl into master

Implement Pagure Git Auth

Patrick Uiterwijk • 5 years ago

f66badc

pagure/lib/git_auth.py

file modified

+59

		`@@ -27,6 +27,7 @@`
		`import pagure.lib.query`
		`from pagure.config import config as pagure_config`
		`from pagure.lib import model`
		`+ from pagure.utils import is_repo_committer, lookup_deploykey`


		`# logging.config.dictConfig(pagure_config.get('LOGGING') or {'version': 1})`
		`@@ -72,6 +73,7 @@`
		`"test_auth": GitAuthTestHelper,`
		`"gitolite2": Gitolite2Auth,`
		`"gitolite3": Gitolite3Auth,`
		`+ "pagure": PagureGitAuth,`
		`}[backend]`
		`else:`
		`cls = classes[backend].load()`
		`@@ -848,6 +850,63 @@`
		`cls._run_gitolite_cmd(cmd)`


		`+ class PagureGitAuth(GitAuthHelper):`
		`+ """ Standard Pagure git auth implementation. """`
		`+`
		`+ is_dynamic = True`
		`+`
		`+ @classmethod`
		`+ def generate_acls(self, project, group=None):`
		`+ """ This function is required but not used. """`
		`+ pass`
		`+`
		`+ @classmethod`
		`+ def remove_acls(self, session, project):`
		`+ """ This function is required but not used. """`
		`+ pass`
		`+`
		`+ def info(self, msg):`
		`+ """ Function that prints info about decisions to clients.`
		`+`
		`+ This is a function to make it possible to override for test suite. """`
		`+ print(msg)`
		`+`
		`+ def check_acl(`
		`+ self,`
		`+ session,`
		`+ project,`
		`+ username,`
		`+ refname,`
		`+ pull_request,`
		`+ repotype,`
		`+ is_internal,`
		`+ **info`
		`+ ):`
		`+ if is_internal:`
		`+ self.info("Internal push allowed")`
		`+ return True`
		`+`
		`+ # Check whether a PR is required for this repo or in general`
		`+ global_pr_only = pagure_config.get("PR_ONLY", False)`
		`+ pr_only = project.settings.get("pull_request_access_only", False)`
		`+ if repotype == "main":`
		`+ if (`
		`+ pr_only or (global_pr_only and not project.is_fork)`
		`+ ) and not pull_request:`
		`+ self.info("Pull request required")`
		`+ return False`
		`+`
		`+ # Determine whether the current user is allowed to push`
		`+ is_committer = is_repo_committer(project, username, session)`
		`+ deploykey = lookup_deploykey(project, username)`
		`+ if deploykey is not None:`
		`+ self.info("Deploykey used. Push access: %s" % deploykey.pushaccess)`
		`+ is_committer = deploykey.pushaccess`
		`+ self.info("Has commit access: %s" % is_committer)`
		`+`
		`+ return is_committer`
		`+`
		`+`
		`class GitAuthTestHelper(GitAuthHelper):`
		`""" Simple test auth module to check the auth customization system. """`

setup.py

file modified

		`@@ -60,6 +60,7 @@`
		`test_auth = pagure.lib.git_auth:GitAuthTestHelper`
		`gitolite2 = pagure.lib.git_auth:Gitolite2Auth`
		`gitolite3 = pagure.lib.git_auth:Gitolite3Auth`
		`+ pagure = pagure.lib.git_auth:PagureGitAuth`
		`""",`
		`classifiers=[`
		`'License :: OSI Approved :: GNU General Public License v2 or later (GPLv2+)',`

tests/test_pagure_lib_git_auth_paguregitauth.py

file added

+230

		`@@ -0,0 +1,230 @@`
		`+ # -- coding: utf-8 --`
		`+`
		`+ """`
		`+ (c) 2019-2019 - Copyright Red Hat Inc`
		`+`
		`+ Authors:`
		`+ Pierre-Yves Chibon <pingou@pingoured.fr>`
		`+ Patrick Uiterwijk <patrick@puiterwijk.org>`
		`+`
		`+ """`
		`+`
		`+ from __future__ import unicode_literals, absolute_import`
		`+`
		`+ import json`
		`+ import os`
		`+ import sys`
		`+`
		`+ from mock import Mock`
		`+`
		`+ sys.path.insert(`
		`+ 0, os.path.join(os.path.dirname(os.path.abspath(__file__)), "..")`
		`+ )`
		`+`
		`+ import pagure.lib.query`
		`+ import tests`
		`+`
		`+ from pagure.config import config as pagure_config`
		`+ from pagure.lib.repo import PagureRepo`
		`+`
		`+`
		`+ class PagureLibGitAuthPagureGitAuthtests(tests.Modeltests):`
		`+ """ Tests for pagure.lib.git_auth PagureGitAuth dynamic ACL """`
		`+`
		`+ config_values = {"authbackend": "pagure"}`
		`+`
		`+ def setUp(self):`
		`+ super(PagureLibGitAuthPagureGitAuthtests, self).setUp()`
		`+`
		`+ tests.create_projects(self.session)`
		`+ tests.create_tokens(self.session)`
		`+ tests.create_tokens_acl(self.session)`
		`+ self.create_project_full("acltest")`
		`+ project = pagure.lib.query._get_project(self.session, "acltest")`
		`+ # Create non-push deploy key`
		`+ non_push_dkey = pagure.lib.model.SSHKey(`
		`+ project_id=project.id,`
		`+ pushaccess=False,`
		`+ public_ssh_key="\n foo bar",`
		`+ ssh_short_key="\n foo bar",`
		`+ ssh_search_key="\n foo bar",`
		`+ creator_user_id=1, # pingou`
		`+ )`
		`+ self.session.add(non_push_dkey)`
		`+ # Create push deploy key`
		`+ push_dkey = pagure.lib.model.SSHKey(`
		`+ project_id=project.id,`
		`+ pushaccess=True,`
		`+ public_ssh_key="\n bar foo",`
		`+ ssh_short_key="\n bar foo",`
		`+ ssh_search_key="\n bar foo",`
		`+ creator_user_id=1, # pingou`
		`+ )`
		`+ self.session.add(push_dkey)`
		`+ self.session.commit()`
		`+`
		`+ def create_fork(self):`
		`+ # Create fork`
		`+ headers = {"Authorization": "token aaabbbcccddd"}`
		`+ data = {"repo": "acltest"}`
		`+ output = self.app.post("/api/0/fork/", data=data, headers=headers)`
		`+ self.assertEqual(output.status_code, 200)`
		`+ data = json.loads(output.get_data(as_text=True))`
		`+ self.assertDictEqual(`
		`+ data, {"message": 'Repo "acltest" cloned to "pingou/acltest"'}`
		`+ )`
		`+`
		`+ CASES = (`
		`+ # Internal push`
		`+ {`
		`+ "internal": True,`
		`+ "username": "foo",`
		`+ "project_pr_only": False,`
		`+ "global_pr_only": False,`
		`+ "project": {"name": "acltest"},`
		`+ "repotype": "main",`
		`+ "expected_messages": ["Internal push allowed"],`
		`+ "expected_result": True,`
		`+ },`
		`+ # Globally PR required push: PR merges are always internal`
		`+ {`
		`+ "internal": False,`
		`+ "username": "foo",`
		`+ "project_pr_only": False,`
		`+ "global_pr_only": True,`
		`+ "project": {"name": "acltest"},`
		`+ "repotype": "main",`
		`+ "expected_messages": ["Pull request required"],`
		`+ "expected_result": False,`
		`+ },`
		`+ # GLobally PR required, push is to fork`
		`+ {`
		`+ "internal": False,`
		`+ "username": "foo",`
		`+ "project_pr_only": False,`
		`+ "global_pr_only": True,`
		`+ "project": {"name": "acltest", "user": "pingou"},`
		`+ "repotype": "main",`
		`+ "expected_messages": ["Has commit access: False"],`
		`+ "expected_result": False,`
		`+ },`
		`+ # PR required push: PR merges are always internal`
		`+ {`
		`+ "internal": False,`
		`+ "username": "foo",`
		`+ "project_pr_only": True,`
		`+ "global_pr_only": False,`
		`+ "project": {"name": "acltest"},`
		`+ "repotype": "main",`
		`+ "expected_messages": ["Pull request required"],`
		`+ "expected_result": False,`
		`+ },`
		`+ # PR required for main repo, but not for ticket`
		`+ {`
		`+ "internal": False,`
		`+ "username": "foo",`
		`+ "project_pr_only": True,`
		`+ "global_pr_only": False,`
		`+ "project": {"name": "acltest"},`
		`+ "repotype": "ticket",`
		`+ "expected_messages": ["Has commit access: False"],`
		`+ "expected_result": False,`
		`+ },`
		`+ # Non-push deploy key`
		`+ {`
		`+ "internal": False,`
		`+ "username": "deploykey_acltest_1",`
		`+ "project_pr_only": False,`
		`+ "global_pr_only": False,`
		`+ "project": {"name": "acltest"},`
		`+ "repotype": "main",`
		`+ "expected_messages": [`
		`+ "Deploykey used. Push access: False",`
		`+ "Has commit access: False",`
		`+ ],`
		`+ "expected_result": False,`
		`+ },`
		`+ # Push deploy key`
		`+ {`
		`+ "internal": False,`
		`+ "username": "deploykey_acltest_2",`
		`+ "project_pr_only": False,`
		`+ "global_pr_only": False,`
		`+ "project": {"name": "acltest"},`
		`+ "repotype": "main",`
		`+ "expected_messages": [`
		`+ "Deploykey used. Push access: True",`
		`+ "Has commit access: True",`
		`+ ],`
		`+ "expected_result": True,`
		`+ },`
		`+ # Non-committer`
		`+ {`
		`+ "internal": False,`
		`+ "username": "foo",`
		`+ "project_pr_only": False,`
		`+ "global_pr_only": False,`
		`+ "project": {"name": "acltest"},`
		`+ "repotype": "main",`
		`+ "expected_messages": ["Has commit access: False"],`
		`+ "expected_result": False,`
		`+ },`
		`+ # Committer`
		`+ {`
		`+ "internal": False,`
		`+ "username": "pingou",`
		`+ "project_pr_only": False,`
		`+ "global_pr_only": False,`
		`+ "project": {"name": "acltest"},`
		`+ "repotype": "main",`
		`+ "expected_messages": ["Has commit access: True"],`
		`+ "expected_result": True,`
		`+ },`
		`+ )`
		`+`
		`+ def test_cases(self):`
		`+ self.create_fork()`
		`+`
		`+ ga = pagure.lib.git_auth.PagureGitAuth()`
		`+ ga.info = Mock()`
		`+`
		`+ casenum = 0`
		`+`
		`+ for case in self.CASES:`
		`+ casenum += 1`
		`+ print("Case %d: %s" % (casenum, case))`
		`+ project = pagure.lib.query._get_project(`
		`+ self.session, **case["project"]`
		`+ )`
		`+`
		`+ # Set global PR setting`
		`+ pagure_config["PR_ONLY"] = case["global_pr_only"]`
		`+`
		`+ # Set per-project PR setting`
		`+ curset = project.settings`
		`+ curset["pull_request_access_only"] = case["project_pr_only"]`
		`+ project.settings = curset`
		`+ self.session.commit()`
		`+`
		`+ result = ga.check_acl(`
		`+ session=self.session,`
		`+ project=project,`
		`+ username=case["username"],`
		`+ refname="refs/heads/master",`
		`+ pull_request=None,`
		`+ repotype=case["repotype"],`
		`+ is_internal=case["internal"],`
		`+ )`
		`+ print("Result: %s" % result)`
		`+ self.assertEqual(`
		`+ result,`
		`+ case["expected_result"],`
		`+ "Expected result not met in case %s" % case,`
		`+ )`
		`+ print("Correct result")`
		`+ self.assertListEqual(`
		`+ case["expected_messages"],`
		`+ [info_call[0][0] for info_call in ga.info.call_args_list],`
		`+ )`
		`+ print("Correct messages")`
		`+ ga.info.reset_mock()`

puiterwijk commented 5 years ago

Note that this is theoretical, untested, and hacked up quickly.
Just figured I'd submit it, and someone can take it from here.

pingou commented 5 years ago

This seems to be a duplicate of https://pagure.io/pagure/pull-request/3867 no?

pingou commented 5 years ago

This one has support for is_internal that #3867 doesn't though

puiterwijk commented 5 years ago

.... I knew I'd done this once before.
Nice how I keep duplicating things.
One point in my favor: I actually named the classes about the same... Consistent naming schemes?

pingou commented 5 years ago

This one is more complete so I'm going to close #3867 but I'd like more confidence than "it's theoretical and untested" before merging it :)

zlopez commented 5 years ago

At least some basic tests should be added to see if this is working.

rebased onto e59540f72843951dfa3244226e2faa5f4de67191

5 years ago

rebased onto 2955c43e4d5dd9f213c7c8989acca4bb38b99131

5 years ago

pingou commented 5 years ago

Neat tests :)

pretty please pagure-ci rebuild

5 years ago

puiterwijk commented 5 years ago

The last run caught a repoSpanner build that seems to have some bugs when used in conjunction with Pagure (was a test build on someone's specific request I had forgotten to untag from the infra repos).

rebased onto f66badc

5 years ago