PR#4637: Add support to expire and update any API token, not just the admin ones - pagure

pagure

#4637 Add support to expire and update any API token, not just the admin ones

Merged 4 years ago by pingou. Opened 4 years ago by pingou.

pagure-token-all into master

Add support to expire and update any API token, not just the admin ones

Pierre-Yves Chibon • 4 years ago

743bb5e

pagure/cli/admin.py

file modified

+18

		`@@ -170,6 +170,12 @@`
		`"expire", help="Expire a specific API token"`
		`)`
		`local_parser.add_argument("token", help="API token")`
		`+ local_parser.add_argument(`
		`+ "--all",`
		`+ default=False,`
		`+ action="store_true",`
		`+ help="Act on any API token instead of only those with admin ACLs",`
		`+ )`
		`local_parser.set_defaults(func=do_expire_admin_token)`


		`@@ -201,6 +207,12 @@`
		`)`
		`local_parser.add_argument("token", help="API token")`
		`local_parser.add_argument("date", help="New expiration date")`
		`+ local_parser.add_argument(`
		`+ "--all",`
		`+ default=False,`
		`+ action="store_true",`
		`+ help="Act on any API token instead of only those with admin ACLs",`
		`+ )`
		`local_parser.set_defaults(func=do_update_admin_token)`


		`@@ -736,8 +748,11 @@`

		`"""`
		`_log.debug("token: %s", args.token)`
		`+ _log.debug("all: %s", args.all)`

		`acls = pagure.config.config["ADMIN_API_ACLS"]`
		`+ if args.all:`
		`+ acls = None`
		`token = pagure.lib.query.search_token(session, acls, token=args.token)`
		`if not token:`
		`raise pagure.exceptions.PagureException("No such admin token found")`
		`@@ -763,8 +778,11 @@`
		`"""`
		`_log.debug("token: %s", args.token)`
		`_log.debug("new date: %s", args.date)`
		`+ _log.debug("all: %s", args.all)`

		`acls = pagure.config.config["ADMIN_API_ACLS"]`
		`+ if args.all:`
		`+ acls = None`
		`token = pagure.lib.query.search_token(session, acls, token=args.token)`
		`if not token:`
		`raise pagure.exceptions.PagureException("No such admin token found")`

tests/test_pagure_admin.py

file modified

+142 -5

		`@@ -481,7 +481,64 @@`
		`self.assertIn(" -- pingou -- ", output)`

		`# Expire the token`
		`- args = munch.Munch({"token": token})`
		`+ args = munch.Munch({"token": token, "all": False})`
		`+ pagure.cli.admin.do_expire_admin_token(args)`
		`+`
		`+ # After`
		`+ list_args = munch.Munch(`
		`+ {`
		`+ "user": None,`
		`+ "token": None,`
		`+ "active": True,`
		`+ "expired": False,`
		`+ "all": False,`
		`+ }`
		`+ )`
		`+ with tests.capture_output() as output:`
		`+ pagure.cli.admin.do_list_admin_token(list_args)`
		`+ output = output.getvalue()`
		`+ self.assertEqual(output, "No admin tokens found\n")`
		`+`
		`+ @patch("pagure.cli.admin._get_input")`
		`+ @patch("pagure.cli.admin._ask_confirmation")`
		`+ def test_do_expire_admin_token_non_admin_acls(self, conf, rinp):`
		`+ """ Test the do_expire_admin_token function of pagure-admin for a token`
		`+ without any admin ACL. """`
		`+ if "BUILD_ID" in os.environ:`
		`+ raise unittest.case.SkipTest("Skipping on jenkins/el7")`
		`+`
		`+ # Create an admin token to use`
		`+ conf.return_value = True`
		`+ rinp.return_value = "1,2,3"`
		`+`
		`+ pagure.lib.query.add_token_to_user(`
		`+ self.session,`
		`+ project=None,`
		`+ acls=["issue_assign", "pull_request_subscribe"],`
		`+ username="pingou",`
		`+ )`
		`+`
		`+ # Retrieve all tokens to get the one of interest`
		`+ list_args = munch.Munch(`
		`+ {`
		`+ "user": None,`
		`+ "token": None,`
		`+ "active": False,`
		`+ "expired": False,`
		`+ "all": True,`
		`+ }`
		`+ )`
		`+ with tests.capture_output() as output:`
		`+ pagure.cli.admin.do_list_admin_token(list_args)`
		`+ output = output.getvalue()`
		`+ self.assertNotEqual(output, 'No user "pingou" found\n')`
		`+ self.assertEqual(len(output.split("\n")), 2)`
		`+ self.assertIn(" -- pingou -- ", output)`
		`+`
		`+ token = output.split(" ", 1)[0]`
		`+`
		`+ # Expire the token`
		`+ args = munch.Munch({"token": token, "all": True})`
		`pagure.cli.admin.do_expire_admin_token(args)`

		`# After`
		`@@ -535,7 +592,7 @@`
		`current_expiration = output.split(" ", 1)[1]`

		`# Set the expiration date to the token`
		`- args = munch.Munch({"token": token, "date": "aa-bb-cc"})`
		`+ args = munch.Munch({"token": token, "date": "aa-bb-cc", "all": False})`
		`self.assertRaises(`
		`pagure.exceptions.PagureException,`
		`pagure.cli.admin.do_update_admin_token,`
		`@@ -578,7 +635,9 @@`
		`current_expiration = output.split(" ", 1)[1]`

		`# Set the expiration date to the token`
		`- args = munch.Munch({"token": token, "date": "2017-18-01"})`
		`+ args = munch.Munch(`
		`+ {"token": token, "date": "2017-18-01", "all": False}`
		`+ )`
		`self.assertRaises(`
		`pagure.exceptions.PagureException,`
		`pagure.cli.admin.do_update_admin_token,`
		`@@ -622,7 +681,11 @@`

		`# Set the expiration date to the token`
		`args = munch.Munch(`
		`- {"token": token, "date": datetime.datetime.utcnow().date()}`
		`+ {`
		`+ "token": token,`
		`+ "date": datetime.datetime.utcnow().date(),`
		`+ "all": False,`
		`+ }`
		`)`
		`self.assertRaises(`
		`pagure.exceptions.PagureException,`
		`@@ -687,7 +750,11 @@`

		`# Set the expiration date to the token`
		`args = munch.Munch(`
		`- {"token": token, "date": deadline.strftime("%Y-%m-%d")}`
		`+ {`
		`+ "token": token,`
		`+ "date": deadline.strftime("%Y-%m-%d"),`
		`+ "all": False,`
		`+ }`
		`)`
		`pagure.cli.admin.do_update_admin_token(args)`

		`@@ -709,6 +776,76 @@`
		`output.strip().split(" -- ", 2)[-1], current_expiration`
		`)`

		`+ @patch("pagure.cli.admin._get_input")`
		`+ @patch("pagure.cli.admin._ask_confirmation")`
		`+ def test_do_update_admin_token_non_admin_acls(self, conf, rinp):`
		`+ """ Test the do_update_admin_token function of pagure-admin for a token`
		`+ without any admin ACL. """`
		`+ if "BUILD_ID" in os.environ:`
		`+ raise unittest.case.SkipTest("Skipping on jenkins/el7")`
		`+`
		`+ # Create an admin token to use`
		`+ conf.return_value = True`
		`+ rinp.return_value = "1,2,3"`
		`+`
		`+ pagure.lib.query.add_token_to_user(`
		`+ self.session,`
		`+ project=None,`
		`+ acls=["issue_assign", "pull_request_subscribe"],`
		`+ username="pingou",`
		`+ )`
		`+`
		`+ # Retrieve all tokens to get the one of interest`
		`+ list_args = munch.Munch(`
		`+ {`
		`+ "user": None,`
		`+ "token": None,`
		`+ "active": False,`
		`+ "expired": False,`
		`+ "all": True,`
		`+ }`
		`+ )`
		`+ with tests.capture_output() as output:`
		`+ pagure.cli.admin.do_list_admin_token(list_args)`
		`+ output = output.getvalue()`
		`+ self.assertNotEqual(output, 'No user "pingou" found\n')`
		`+ self.assertEqual(len(output.split("\n")), 2)`
		`+ self.assertIn(" -- pingou -- ", output)`
		`+`
		`+ token = output.split(" ", 1)[0]`
		`+ current_expiration = output.strip().split(" -- ", 2)[-1]`
		`+ deadline = datetime.datetime.utcnow().date() + datetime.timedelta(`
		`+ days=3`
		`+ )`
		`+`
		`+ # Set the expiration date to the token`
		`+ args = munch.Munch(`
		`+ {`
		`+ "token": token,`
		`+ "date": deadline.strftime("%Y-%m-%d"),`
		`+ "all": True,`
		`+ }`
		`+ )`
		`+ pagure.cli.admin.do_update_admin_token(args)`
		`+`
		`+ # After`
		`+ list_args = munch.Munch(`
		`+ {`
		`+ "user": None,`
		`+ "token": None,`
		`+ "active": True,`
		`+ "expired": False,`
		`+ "all": True,`
		`+ }`
		`+ )`
		`+ with tests.capture_output() as output:`
		`+ pagure.cli.admin.do_list_admin_token(list_args)`
		`+ output = output.getvalue()`
		`+ self.assertEqual(output.split(" ", 1)[0], token)`
		`+ self.assertNotEqual(`
		`+ output.strip().split(" -- ", 2)[-1], current_expiration`
		`+ )`
		`+`

		`class PagureAdminGetWatchTests(tests.Modeltests):`
		`""" Tests for pagure-admin get-watch """`

pingou commented 4 years ago

Basically we normally restrict the API token by them having one of the
ADMIN_API_ACLS acl, which meant we could not update or expire API tokens
that did not have any of these acls.
With this change, we can lift this constraint by using --all.

Signed-off-by: Pierre-Yves Chibon pingou@pingoured.fr