Use FAS groups to manage MBS admins

2026-04-14 13:49:50 +08:00 · 2017-04-04 09:24:25 +02:00
parent 1df6f8e8ad
commit acf0e7097c
3 changed files with 21 additions and 8 deletions
--- a/module_build_service/config.py
+++ b/module_build_service/config.py
@@ -303,10 +303,10 @@ class Config(object):
            'type': bool,
            'default': False,
            'desc': 'Disable client authentication.'},
-        'admins': {
-            'type': list,
-            'default': [],
-            'desc': 'List of names of users with admin privileges.'},
+        'admin_groups': {
+            'type': set,
+            'default': set([]),
+            'desc': 'The set of groups allowed to manage MBS.'},
    }

    def __init__(self, conf_section_obj):
--- a/module_build_service/views.py
+++ b/module_build_service/views.py
@@ -165,7 +165,7 @@ class ModuleBuildAPI(MethodView):
        if not module:
            raise NotFound('No such module found.')

-        if module.owner != username and username not in conf.admins:
+        if module.owner != username and not (conf.admin_groups & groups):
            raise Forbidden('You are not owner of this build and '
                            'therefore cannot modify it.')

--- a/tests/test_views/test_views.py
+++ b/tests/test_views/test_views.py
@@ -553,10 +553,11 @@ class TestViews(unittest.TestCase):
        self.assertEquals(data['status'], 403)
        self.assertEquals(data['error'], 'Forbidden')

-    @patch('module_build_service.auth.get_user', return_value=('sammy', set(["packager"])))
+    @patch('module_build_service.auth.get_user',
+           return_value=('sammy', set(["packager", "mbs-admin"])))
    def test_cancel_build_admin(self, mocked_get_user):
-        with patch("module_build_service.config.Config.admins",
-                new_callable=PropertyMock, return_value = ["sammy"]):
+        with patch("module_build_service.config.Config.admin_groups",
+                new_callable=PropertyMock, return_value = set(["mbs-admin"])):
            rv = self.client.patch('/module-build-service/1/module-builds/30',
                                data=json.dumps({'state': 'failed'}))
            data = json.loads(rv.data)
@@ -564,6 +565,18 @@ class TestViews(unittest.TestCase):
            self.assertEquals(data['state'], 4)
            self.assertEquals(data['state_reason'], 'Canceled by sammy.')

+    @patch('module_build_service.auth.get_user',
+           return_value=('sammy', set(["packager"])))
+    def test_cancel_build_no_admin(self, mocked_get_user):
+        with patch("module_build_service.config.Config.admin_groups",
+                new_callable=PropertyMock, return_value = set(["mbs-admin"])):
+            rv = self.client.patch('/module-build-service/1/module-builds/30',
+                                data=json.dumps({'state': 'failed'}))
+            data = json.loads(rv.data)
+
+            self.assertEquals(data['status'], 403)
+            self.assertEquals(data['error'], 'Forbidden')
+
    @patch('module_build_service.auth.get_user', return_value=other_user)
    def test_cancel_build_wrong_param(self, mocked_get_user):
        rv = self.client.patch('/module-build-service/1/module-builds/30',