From f66badc9a6012b4752f34b9a3b1a81013a33f2b4 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Mar 08 2019 10:54:06 +0000 Subject: Implement Pagure Git Auth Signed-off-by: Patrick Uiterwijk --- diff --git a/pagure/lib/git_auth.py b/pagure/lib/git_auth.py index 4ed327e..3210e54 100644 --- a/pagure/lib/git_auth.py +++ b/pagure/lib/git_auth.py @@ -27,6 +27,7 @@ import pagure.lib.model_base import pagure.lib.query from pagure.config import config as pagure_config from pagure.lib import model +from pagure.utils import is_repo_committer, lookup_deploykey # logging.config.dictConfig(pagure_config.get('LOGGING') or {'version': 1}) @@ -72,6 +73,7 @@ def get_git_auth_helper(backend=None): "test_auth": GitAuthTestHelper, "gitolite2": Gitolite2Auth, "gitolite3": Gitolite3Auth, + "pagure": PagureGitAuth, }[backend] else: cls = classes[backend].load() @@ -848,6 +850,63 @@ class Gitolite3Auth(Gitolite2Auth): cls._run_gitolite_cmd(cmd) +class PagureGitAuth(GitAuthHelper): + """ Standard Pagure git auth implementation. """ + + is_dynamic = True + + @classmethod + def generate_acls(self, project, group=None): + """ This function is required but not used. """ + pass + + @classmethod + def remove_acls(self, session, project): + """ This function is required but not used. """ + pass + + def info(self, msg): + """ Function that prints info about decisions to clients. + + This is a function to make it possible to override for test suite. """ + print(msg) + + def check_acl( + self, + session, + project, + username, + refname, + pull_request, + repotype, + is_internal, + **info + ): + if is_internal: + self.info("Internal push allowed") + return True + + # Check whether a PR is required for this repo or in general + global_pr_only = pagure_config.get("PR_ONLY", False) + pr_only = project.settings.get("pull_request_access_only", False) + if repotype == "main": + if ( + pr_only or (global_pr_only and not project.is_fork) + ) and not pull_request: + self.info("Pull request required") + return False + + # Determine whether the current user is allowed to push + is_committer = is_repo_committer(project, username, session) + deploykey = lookup_deploykey(project, username) + if deploykey is not None: + self.info("Deploykey used. Push access: %s" % deploykey.pushaccess) + is_committer = deploykey.pushaccess + self.info("Has commit access: %s" % is_committer) + + return is_committer + + class GitAuthTestHelper(GitAuthHelper): """ Simple test auth module to check the auth customization system. """ diff --git a/setup.py b/setup.py index d5d7ae5..7f24828 100644 --- a/setup.py +++ b/setup.py @@ -60,6 +60,7 @@ setup( test_auth = pagure.lib.git_auth:GitAuthTestHelper gitolite2 = pagure.lib.git_auth:Gitolite2Auth gitolite3 = pagure.lib.git_auth:Gitolite3Auth + pagure = pagure.lib.git_auth:PagureGitAuth """, classifiers=[ 'License :: OSI Approved :: GNU General Public License v2 or later (GPLv2+)', diff --git a/tests/test_pagure_lib_git_auth_paguregitauth.py b/tests/test_pagure_lib_git_auth_paguregitauth.py new file mode 100644 index 0000000..7b709ba --- /dev/null +++ b/tests/test_pagure_lib_git_auth_paguregitauth.py @@ -0,0 +1,230 @@ +# -*- coding: utf-8 -*- + +""" + (c) 2019-2019 - Copyright Red Hat Inc + + Authors: + Pierre-Yves Chibon + Patrick Uiterwijk + +""" + +from __future__ import unicode_literals, absolute_import + +import json +import os +import sys + +from mock import Mock + +sys.path.insert( + 0, os.path.join(os.path.dirname(os.path.abspath(__file__)), "..") +) + +import pagure.lib.query +import tests + +from pagure.config import config as pagure_config +from pagure.lib.repo import PagureRepo + + +class PagureLibGitAuthPagureGitAuthtests(tests.Modeltests): + """ Tests for pagure.lib.git_auth PagureGitAuth dynamic ACL """ + + config_values = {"authbackend": "pagure"} + + def setUp(self): + super(PagureLibGitAuthPagureGitAuthtests, self).setUp() + + tests.create_projects(self.session) + tests.create_tokens(self.session) + tests.create_tokens_acl(self.session) + self.create_project_full("acltest") + project = pagure.lib.query._get_project(self.session, "acltest") + # Create non-push deploy key + non_push_dkey = pagure.lib.model.SSHKey( + project_id=project.id, + pushaccess=False, + public_ssh_key="\n foo bar", + ssh_short_key="\n foo bar", + ssh_search_key="\n foo bar", + creator_user_id=1, # pingou + ) + self.session.add(non_push_dkey) + # Create push deploy key + push_dkey = pagure.lib.model.SSHKey( + project_id=project.id, + pushaccess=True, + public_ssh_key="\n bar foo", + ssh_short_key="\n bar foo", + ssh_search_key="\n bar foo", + creator_user_id=1, # pingou + ) + self.session.add(push_dkey) + self.session.commit() + + def create_fork(self): + # Create fork + headers = {"Authorization": "token aaabbbcccddd"} + data = {"repo": "acltest"} + output = self.app.post("/api/0/fork/", data=data, headers=headers) + self.assertEqual(output.status_code, 200) + data = json.loads(output.get_data(as_text=True)) + self.assertDictEqual( + data, {"message": 'Repo "acltest" cloned to "pingou/acltest"'} + ) + + CASES = ( + # Internal push + { + "internal": True, + "username": "foo", + "project_pr_only": False, + "global_pr_only": False, + "project": {"name": "acltest"}, + "repotype": "main", + "expected_messages": ["Internal push allowed"], + "expected_result": True, + }, + # Globally PR required push: PR merges are always internal + { + "internal": False, + "username": "foo", + "project_pr_only": False, + "global_pr_only": True, + "project": {"name": "acltest"}, + "repotype": "main", + "expected_messages": ["Pull request required"], + "expected_result": False, + }, + # GLobally PR required, push is to fork + { + "internal": False, + "username": "foo", + "project_pr_only": False, + "global_pr_only": True, + "project": {"name": "acltest", "user": "pingou"}, + "repotype": "main", + "expected_messages": ["Has commit access: False"], + "expected_result": False, + }, + # PR required push: PR merges are always internal + { + "internal": False, + "username": "foo", + "project_pr_only": True, + "global_pr_only": False, + "project": {"name": "acltest"}, + "repotype": "main", + "expected_messages": ["Pull request required"], + "expected_result": False, + }, + # PR required for main repo, but not for ticket + { + "internal": False, + "username": "foo", + "project_pr_only": True, + "global_pr_only": False, + "project": {"name": "acltest"}, + "repotype": "ticket", + "expected_messages": ["Has commit access: False"], + "expected_result": False, + }, + # Non-push deploy key + { + "internal": False, + "username": "deploykey_acltest_1", + "project_pr_only": False, + "global_pr_only": False, + "project": {"name": "acltest"}, + "repotype": "main", + "expected_messages": [ + "Deploykey used. Push access: False", + "Has commit access: False", + ], + "expected_result": False, + }, + # Push deploy key + { + "internal": False, + "username": "deploykey_acltest_2", + "project_pr_only": False, + "global_pr_only": False, + "project": {"name": "acltest"}, + "repotype": "main", + "expected_messages": [ + "Deploykey used. Push access: True", + "Has commit access: True", + ], + "expected_result": True, + }, + # Non-committer + { + "internal": False, + "username": "foo", + "project_pr_only": False, + "global_pr_only": False, + "project": {"name": "acltest"}, + "repotype": "main", + "expected_messages": ["Has commit access: False"], + "expected_result": False, + }, + # Committer + { + "internal": False, + "username": "pingou", + "project_pr_only": False, + "global_pr_only": False, + "project": {"name": "acltest"}, + "repotype": "main", + "expected_messages": ["Has commit access: True"], + "expected_result": True, + }, + ) + + def test_cases(self): + self.create_fork() + + ga = pagure.lib.git_auth.PagureGitAuth() + ga.info = Mock() + + casenum = 0 + + for case in self.CASES: + casenum += 1 + print("Case %d: %s" % (casenum, case)) + project = pagure.lib.query._get_project( + self.session, **case["project"] + ) + + # Set global PR setting + pagure_config["PR_ONLY"] = case["global_pr_only"] + + # Set per-project PR setting + curset = project.settings + curset["pull_request_access_only"] = case["project_pr_only"] + project.settings = curset + self.session.commit() + + result = ga.check_acl( + session=self.session, + project=project, + username=case["username"], + refname="refs/heads/master", + pull_request=None, + repotype=case["repotype"], + is_internal=case["internal"], + ) + print("Result: %s" % result) + self.assertEqual( + result, + case["expected_result"], + "Expected result not met in case %s" % case, + ) + print("Correct result") + self.assertListEqual( + case["expected_messages"], + [info_call[0][0] for info_call in ga.info.call_args_list], + ) + print("Correct messages") + ga.info.reset_mock()