From acf0e7097cb5914e71986c4cdb784d86573b6686 Mon Sep 17 00:00:00 2001
From: Jan Kaluza <jkaluza@redhat.com>
Date: Tue, 4 Apr 2017 09:24:25 +0200
Subject: [PATCH] Use FAS groups to manage MBS admins

---
 module_build_service/config.py |  8 ++++----
 module_build_service/views.py  |  2 +-
 tests/test_views/test_views.py | 19 ++++++++++++++++---
 3 files changed, 21 insertions(+), 8 deletions(-)

diff --git a/module_build_service/config.py b/module_build_service/config.py
index dc7be4d9..49cf4b36 100644
--- a/module_build_service/config.py
+++ b/module_build_service/config.py
@@ -303,10 +303,10 @@ class Config(object):
             'type': bool,
             'default': False,
             'desc': 'Disable client authentication.'},
-        'admins': {
-            'type': list,
-            'default': [],
-            'desc': 'List of names of users with admin privileges.'},
+        'admin_groups': {
+            'type': set,
+            'default': set([]),
+            'desc': 'The set of groups allowed to manage MBS.'},
     }
 
     def __init__(self, conf_section_obj):
diff --git a/module_build_service/views.py b/module_build_service/views.py
index 8a1608c7..1572bc4f 100644
--- a/module_build_service/views.py
+++ b/module_build_service/views.py
@@ -165,7 +165,7 @@ class ModuleBuildAPI(MethodView):
         if not module:
             raise NotFound('No such module found.')
 
-        if module.owner != username and username not in conf.admins:
+        if module.owner != username and not (conf.admin_groups & groups):
             raise Forbidden('You are not owner of this build and '
                             'therefore cannot modify it.')
 
diff --git a/tests/test_views/test_views.py b/tests/test_views/test_views.py
index b09e0cf8..e85754d9 100644
--- a/tests/test_views/test_views.py
+++ b/tests/test_views/test_views.py
@@ -553,10 +553,11 @@ class TestViews(unittest.TestCase):
         self.assertEquals(data['status'], 403)
         self.assertEquals(data['error'], 'Forbidden')
 
-    @patch('module_build_service.auth.get_user', return_value=('sammy', set(["packager"])))
+    @patch('module_build_service.auth.get_user',
+           return_value=('sammy', set(["packager", "mbs-admin"])))
     def test_cancel_build_admin(self, mocked_get_user):
-        with patch("module_build_service.config.Config.admins",
-                new_callable=PropertyMock, return_value = ["sammy"]):
+        with patch("module_build_service.config.Config.admin_groups",
+                new_callable=PropertyMock, return_value = set(["mbs-admin"])):
             rv = self.client.patch('/module-build-service/1/module-builds/30',
                                 data=json.dumps({'state': 'failed'}))
             data = json.loads(rv.data)
@@ -564,6 +565,18 @@ class TestViews(unittest.TestCase):
             self.assertEquals(data['state'], 4)
             self.assertEquals(data['state_reason'], 'Canceled by sammy.')
 
+    @patch('module_build_service.auth.get_user',
+           return_value=('sammy', set(["packager"])))
+    def test_cancel_build_no_admin(self, mocked_get_user):
+        with patch("module_build_service.config.Config.admin_groups",
+                new_callable=PropertyMock, return_value = set(["mbs-admin"])):
+            rv = self.client.patch('/module-build-service/1/module-builds/30',
+                                data=json.dumps({'state': 'failed'}))
+            data = json.loads(rv.data)
+
+            self.assertEquals(data['status'], 403)
+            self.assertEquals(data['error'], 'Forbidden')
+
     @patch('module_build_service.auth.get_user', return_value=other_user)
     def test_cancel_build_wrong_param(self, mocked_get_user):
         rv = self.client.patch('/module-build-service/1/module-builds/30',