Enable social auth users to see other users. (#1934)

Add a custom condition function to detect if using github social auth and then always allow user list and retrieve. Issue: AAH-2781 Signed-off-by: James Tanner <[email protected]>
ansible · Oct 16, 2023 · 67bf324 · 67bf324
1 parent 82fde17
commit 67bf324
Show file tree

Hide file tree

Showing 5 changed files with 77 additions and 14 deletions.
diff --git a/CHANGES/2781.bugfix b/CHANGES/2781.bugfix
@@ -0,0 +1 @@
+Allow all authenticated users to list and retrieve other users when using github social auth.
diff --git a/galaxy_ng/app/access_control/access_policy.py b/galaxy_ng/app/access_control/access_policy.py
@@ -281,6 +281,23 @@ def v3_can_destroy_collections(self, request, view, action):
             return True
         return False
 
+    def v3_can_view_users(self, request, view, action):
+        """
+        Community galaxy users need to be able to see one-another,
+        so that they can grant eachother access to their namespaces.
+        """
+        SOCIAL_AUTH_GITHUB_KEY = settings.get("SOCIAL_AUTH_GITHUB_KEY", default=None)
+        SOCIAL_AUTH_GITHUB_SECRET = settings.get("SOCIAL_AUTH_GITHUB_SECRET", default=None)
+        is_github_social_auth = all([SOCIAL_AUTH_GITHUB_KEY, SOCIAL_AUTH_GITHUB_SECRET])
+
+        if is_github_social_auth:
+            return True
+
+        if request.user.has_perm('galaxy.view_user'):
+            return True
+
+        return False
+
     def has_ansible_repo_perms(self, request, view, action, permission):
         """
         Check if the user has model or object-level permissions

diff --git a/galaxy_ng/app/access_control/statements/standalone.py b/galaxy_ng/app/access_control/statements/standalone.py
@@ -198,13 +198,13 @@
             "action": ["list"],
             "principal": "authenticated",
             "effect": "allow",
-            "condition": "has_model_perms:galaxy.view_user"
+            "condition": ["v3_can_view_users"],
         },
         {
             "action": ["retrieve"],
             "principal": "authenticated",
             "effect": "allow",
-            "condition": "has_model_perms:galaxy.view_user"
+            "condition": ["v3_can_view_users"],
         },
         {
             "action": "destroy",

diff --git a/galaxy_ng/tests/integration/community/test_community_namespace_rbac.py b/galaxy_ng/tests/integration/community/test_community_namespace_rbac.py
@@ -570,3 +570,28 @@ def test_community_social_v3_namespace_sorting(ansible_config):
     # https://issues.redhat.com/browse/AAH-2729
     # social auth code was trying to sort namespaces ...
     pass
+
+
+@pytest.mark.deployment_community
+def test_social_auth_access_api_ui_v1_users(ansible_config):
+    # https://issues.redhat.com/browse/AAH-2781
+
+    username = "foo1234"
+    default_cfg = extract_default_config(ansible_config)
+
+    ga = GithubAdminClient()
+    ga.delete_user(login=username)
+
+    user_c = ga.create_user(login=username, email="[email protected]")
+    user_c.update(default_cfg)
+    user_c['username'] = username
+
+    with SocialGithubClient(config=user_c) as client:
+        users_resp = client.get('_ui/v1/users/')
+        assert users_resp.status_code == 200
+
+        # try to fetch each user ..
+        for udata in users_resp.json()['data']:
+            uid = udata['id']
+            user_resp = client.get(f'_ui/v1/users/{uid}/')
+            assert user_resp.status_code == 200
diff --git a/galaxy_ng/tests/unit/api/test_api_ui_user_viewsets.py b/galaxy_ng/tests/unit/api/test_api_ui_user_viewsets.py
@@ -130,39 +130,50 @@ def test_user_can_create_users_with_right_perms(self):
         self.assertEqual(response.status_code, status.HTTP_201_CREATED)
 
     def test_user_list(self):
-        def _test_user_list():
+        def _test_user_list(expected=None):
+            # Check test user can[not] view other users
             self.client.force_authenticate(user=self.user)
             log.debug("self.client: %s", self.client)
             log.debug("self.client.__dict__: %s", self.client.__dict__)
             response = self.client.get(self.user_url)
-            self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+            self.assertEqual(response.status_code, expected)
 
+            # Check admin user can -always- view others
             self.client.force_authenticate(user=self.admin_user)
             response = self.client.get(self.user_url)
             self.assertEqual(response.status_code, status.HTTP_200_OK)
             data = response.data["data"]
             self.assertEqual(len(data), auth_models.User.objects.all().count())
 
         with self.settings(GALAXY_DEPLOYMENT_MODE=DeploymentMode.STANDALONE.value):
-            _test_user_list()
+            _test_user_list(expected=status.HTTP_403_FORBIDDEN)
 
         with self.settings(GALAXY_DEPLOYMENT_MODE=DeploymentMode.INSIGHTS.value):
-            _test_user_list()
+            _test_user_list(expected=status.HTTP_403_FORBIDDEN)
+
+        # community
+        kwargs = {
+            'GALAXY_DEPLOYMENT_MODE': DeploymentMode.STANDALONE.value,
+            'SOCIAL_AUTH_GITHUB_KEY': '1234',
+            'SOCIAL_AUTH_GITHUB_SECRET': '1234'
+        }
+        with self.settings(**kwargs):
+            _test_user_list(expected=status.HTTP_200_OK)
 
     def test_user_get(self):
-        def _test_user_get():
-            # Check test user cannot view themselves on the users/ api
+        def _test_user_get(expected=None):
+            # Check test user can[not] view themselves on the users/ api
             self.client.force_authenticate(user=self.user)
             url = "{}{}/".format(self.user_url, self.user.id)
             response = self.client.get(url)
-            self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+            self.assertEqual(response.status_code, expected)
 
-            # Check test user cannot view other users
+            # Check test user can[not] view other users
             url = "{}{}/".format(self.user_url, self.admin_user.id)
             response = self.client.get(url)
-            self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+            self.assertEqual(response.status_code, expected)
 
-            # Check admin user can view others
+            # Check admin user can -always- view others
             self.client.force_authenticate(user=self.admin_user)
             url = "{}{}/".format(self.user_url, self.user.id)
             response = self.client.get(url)
@@ -175,10 +186,19 @@ def _test_user_get():
                 self.assertTrue(self.user.groups.exists(id=group["id"]))
 
         with self.settings(GALAXY_DEPLOYMENT_MODE=DeploymentMode.STANDALONE.value):
-            _test_user_get()
+            _test_user_get(expected=status.HTTP_403_FORBIDDEN)
 
         with self.settings(GALAXY_DEPLOYMENT_MODE=DeploymentMode.INSIGHTS.value):
-            _test_user_get()
+            _test_user_get(expected=status.HTTP_403_FORBIDDEN)
+
+        # community
+        kwargs = {
+            'GALAXY_DEPLOYMENT_MODE': DeploymentMode.STANDALONE.value,
+            'SOCIAL_AUTH_GITHUB_KEY': '1234',
+            'SOCIAL_AUTH_GITHUB_SECRET': '1234'
+        }
+        with self.settings(**kwargs):
+            _test_user_get(expected=status.HTTP_200_OK)
 
     def _test_create_or_update(self, method_call, url, new_user_data, crud_status, auth_user):
         self.client.force_authenticate(user=auth_user)