Commit 3c366805 authored by Stevan Radakovic's avatar Stevan Radakovic
Browse files

Remove global submit_testjob permission usage.

Allow users to submit jobs regardless of permissions and leave the
authorization process to the new auth refactoring code already in
place.
parent bb3cdc20
......@@ -367,12 +367,6 @@ class TestJobViewSet(viewsets.ModelViewSet):
serializer.is_valid(raise_exception=True)
definition = serializer.validated_data["definition"]
if not self.request.user.has_perm("lava_scheduler_app.submit_testjob"):
return Response(
{"message": "Permission denied. Please contact system administrator"},
status=status.HTTP_403_FORBIDDEN,
)
try:
job = testjob_submission(definition, self.request.user)
except SubmissionException as exc:
......@@ -392,7 +386,7 @@ class TestJobViewSet(viewsets.ModelViewSet):
)
except DevicesUnavailableException as exc:
return Response(
{"message": "Device unavailable: %s" % exc},
{"message": "Devices unavailable: %s" % exc},
status=status.HTTP_400_BAD_REQUEST,
)
......
......@@ -401,7 +401,7 @@ ok 2 - bar
reverse("api-root", args=[self.version]) + "jobs/",
{"definition": EXAMPLE_JOB},
)
assert response.status_code == 403 # nosec - unit test support
assert response.status_code == 400 # nosec - unit test support
def test_submit_bad_request_no_device_type(self):
response = self.adminclient.post(
......
......@@ -114,13 +114,6 @@ class SchedulerAPI(ExposedAPI):
job IDs.
"""
self._authenticate()
if not self.user.has_perm("lava_scheduler_app.submit_testjob"):
raise xmlrpc.client.Fault(
403,
"Permission denied. User %r does not have the "
"'lava_scheduler_app.submit_testjob' permission. Contact "
"the administrators." % self.user.username,
)
try:
job = testjob_submission(job_data, self.user)
except SubmissionException as exc:
......@@ -159,13 +152,6 @@ class SchedulerAPI(ExposedAPI):
token.
"""
self._authenticate()
if not self.user.has_perm("lava_scheduler_app.submit_testjob"):
raise xmlrpc.client.Fault(
403,
"Permission denied. User %r does not have the "
"'lava_scheduler_app.submit_testjob' permission. Contact "
"the administrators." % self.user.username,
)
try:
job = get_restricted_job(self.user, job_id)
except TestJob.DoesNotExist:
......
# -*- coding: utf-8 -*-
# Generated by Django 1.11.23 on 2019-10-08 13:30
from __future__ import unicode_literals
from django.db import migrations
def forwards_func(apps, schema_editor):
db_alias = schema_editor.connection.alias
Permission = apps.get_model("auth", "Permission")
Permission.objects.using(db_alias).filter(codename="submit_testjob").delete()
def noop(apps, schema_editor):
pass
class Migration(migrations.Migration):
dependencies = [
("lava_scheduler_app", "0044_reintroduce_cancel_resubmit_permission")
]
operations = [
migrations.AlterModelOptions(
name="testjob",
options={
"permissions": (
("cancel_resubmit_testjob", "Can cancel or resubmit test jobs"),
)
},
),
migrations.RunPython(forwards_func, noop),
]
......@@ -1298,10 +1298,7 @@ class TestJob(models.Model):
class Meta:
index_together = ["health", "state", "requested_device_type"]
permissions = (
("submit_testjob", "Can submit test job"),
("cancel_resubmit_testjob", "Can cancel or resubmit test jobs"),
)
permissions = (("cancel_resubmit_testjob", "Can cancel or resubmit test jobs"),)
# Permission strings. Not real permissions.
VIEW_PERMISSION = "lava_scheduler_app.view_testjob"
......
......@@ -81,7 +81,7 @@ class TestSchedulerAPI(TestCaseWithFactory): # pylint: disable=too-many-ancesto
try:
server.scheduler.submit_job("{}")
except xmlrpc.client.Fault as f:
self.assertEqual(403, f.faultCode)
self.assertEqual(400, f.faultCode)
else:
self.fail("fault not raised")
......
......@@ -166,35 +166,17 @@ class TestTestJob(
self.fail("Comments have not been preserved after submission")
def test_user_permission(self):
self.assertIn(
"submit_testjob",
[
permission.codename
for permission in Permission.objects.all()
if "lava_scheduler_app" in permission.content_type.app_label
],
)
user = self.factory.make_user()
user.user_permissions.add(Permission.objects.get(codename="submit_testjob"))
user.save()
self.assertEqual(
user.get_all_permissions(), {u"lava_scheduler_app.submit_testjob"}
)
admin_perm = Permission.objects.get(codename="admin_device")
self.assertEqual("lava_scheduler_app", admin_perm.content_type.app_label)
self.assertIsNotNone(admin_perm)
self.assertEqual(admin_perm.name, "Can admin device")
user.user_permissions.add(admin_perm)
user.save()
delattr(
user, "_perm_cache"
) # force a refresh of the user permissions as well as the user
user = User.objects.get(username=user.username)
self.assertEqual(
{u"lava_scheduler_app.admin_device", u"lava_scheduler_app.submit_testjob"},
user.get_all_permissions(),
{u"lava_scheduler_app.admin_device"}, user.get_all_permissions()
)
self.assertTrue(user.has_perm("lava_scheduler_app.submit_testjob"))
self.assertTrue(user.has_perm("lava_scheduler_app.admin_device"))
def test_json_yaml(self):
......@@ -217,8 +199,6 @@ class TestTestJob(
def test_job_data(self):
self.factory.cleanup()
user = self.factory.make_user()
user.user_permissions.add(Permission.objects.get(codename="submit_testjob"))
user.save()
dt = self.factory.make_device_type(name="qemu")
device = self.factory.make_device(device_type=dt, hostname="qemu-1")
device.save()
......
......@@ -19,7 +19,7 @@
import pytest
from django.contrib.auth.models import Group, Permission, User
from django.contrib.auth.models import Group, User
from django.urls import reverse
from lava_scheduler_app.models import (
......@@ -48,7 +48,6 @@ actions: []
def setup(db):
group = Group.objects.create(name="group1")
user = User.objects.create_user(username="tester", password="tester") # nosec
user.user_permissions.add(Permission.objects.get(codename="submit_testjob"))
user.groups.add(group)
dt_qemu = DeviceType.objects.create(name="qemu")
Alias.objects.create(name="kvm", device_type=dt_qemu)
......@@ -409,19 +408,19 @@ def test_job_submit(client, setup):
ret = client.get(reverse("lava.scheduler.job.submit"))
assert ret.status_code == 200 # nosec
assert ret.templates[0].name == "lava_scheduler_app/job_submit.html" # nosec
assert ret.context["is_authorized"] is False # nosec
assert ret.context["is_authorized"] == False # nosec
# Anonymous user POST
ret = client.post(reverse("lava.scheduler.job.submit"), {"definition-input": ""})
assert ret.status_code == 200 # nosec
assert ret.templates[0].name == "lava_scheduler_app/job_submit.html" # nosec
assert ret.context["is_authorized"] is False # nosec
assert ret.context["is_authorized"] == False # nosec
# Logged-user GET
assert client.login(username="tester", password="tester") is True # nosec
ret = client.get(reverse("lava.scheduler.job.submit"))
assert ret.status_code == 200 # nosec
assert ret.templates[0].name == "lava_scheduler_app/job_submit.html" # nosec
assert ret.context["is_authorized"] is True # nosec
assert ret.context["is_authorized"] == True # nosec
# Logged-user POST as JSON
ret = client.post(
......
......@@ -1157,16 +1157,12 @@ def active_jobs(request):
@BreadCrumb("Submit", parent=job_list)
def job_submit(request):
is_authorized = False
if request.user and request.user.has_perm("lava_scheduler_app.submit_testjob"):
is_authorized = True
response_data = {
"is_authorized": is_authorized,
"is_authorized": request.user.is_authenticated,
"bread_crumb_trail": BreadCrumbTrail.leading_to(job_submit),
}
if request.method == "POST" and is_authorized:
if request.method == "POST" and request.user.is_authenticated:
if request.is_ajax():
warnings = ""
errors = ""
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment