Hi Marcus, I am also testing the upstream version of OBS with LDAP feature and ACLs. Can you point me to the test cases you were talking about? Thanks, Senthil M -----Original Message----- From: ext Marcus Huewe [mailto:suse-tux@gmx.de] Sent: 27 December, 2010 20:36 To: opensuse-buildservice@opensuse.org Subject: [opensuse-buildservice] [PATCH] small fix for the acl+remoteproject handling Hi, I just wrote a patch to fix some small issues with acl+remoteprojects: - app/controllers/build_controller.rb * def index: added support for remoteprojects (also added acl code for hidden remoteprojects) - app/controllers/source_controller.rb * def index_project: added acl code for hidden remoteprojects - app/models/db_project.rb * def is_remote_project?, def find_remote_project: added "skip_access=false" parameter to skip acl checks (by default they're enabled) - added new testcases Btw sometimes it's possible to "detect" hidden projects. For instance compare the output of GET /source/<hiddenproject> and GET /source/<non-existent> (I'm not quite sure if this is intended) Marcus --- src/api/app/controllers/build_controller.rb | 6 +++ src/api/app/controllers/source_controller.rb | 4 ++ src/api/app/models/db_project.rb | 16 +++++--- src/api/script/start_test_backend | 1 + src/api/test/fixtures/db_projects.yml | 9 +++++ src/api/test/fixtures/flags.yml | 6 +++ .../fixtures/project_user_role_relationships.yml | 5 +++ src/api/test/functional/interconnect_test.rb | 39 ++++++++++++++++++++ 8 files changed, 80 insertions(+), 6 deletions(-) diff --git a/src/api/app/controllers/build_controller.rb b/src/api/app/controllers/build_controller.rb index 7c4d3dd..67ff364 100644 --- a/src/api/app/controllers/build_controller.rb +++ b/src/api/app/controllers/build_controller.rb @@ -4,6 +4,12 @@ class BuildController < ApplicationController valid_http_methods :get, :post, :put prj = DbProject.find_by_name params[:project] + if prj.nil? and DbProject.is_remote_project?(params[:project], skip_access=true) + lpro, rpro = DbProject.find_remote_project(params[:project], skip_access=true) + prj = lpro if DbProject.check_access? lpro + # package is irrelevant for a remoteproject + params.delete :package + end pkg = DbPackage.find_by_project_and_name( params[:project], params[:package] ) if prj and params[:package] # todo: check if prj.nil?/pkg.nil? is sufficient diff --git a/src/api/app/controllers/source_controller.rb b/src/api/app/controllers/source_controller.rb index 06bf0ea..0b3e84c 100644 --- a/src/api/app/controllers/source_controller.rb +++ b/src/api/app/controllers/source_controller.rb @@ -79,6 +79,10 @@ class SourceController < ApplicationController deleted = params.has_key? :deleted pro = DbProject.find_by_name project_name hidden = DbProject.is_hidden?(project_name) + if pro.nil? and DbProject.is_remote_project?(project_name, skip_access=true) + lpro, rpro = DbProject.find_remote_project(project_name, skip_access=true) + hidden = DbProject.is_hidden?(lpro.name) && !DbProject.check_access?(lpro) + end # access checks #-------------- diff --git a/src/api/app/models/db_project.rb b/src/api/app/models/db_project.rb index ec72a62..b687869 100644 --- a/src/api/app/models/db_project.rb +++ b/src/api/app/models/db_project.rb @@ -36,10 +36,9 @@ class DbProject < ActiveRecord::Base class << self - def is_remote_project?(name) - lpro, rpro = find_remote_project(name) - return true unless lpro.nil? or lpro.remoteurl.nil? - return false + def is_remote_project?(name, skip_access=false) + lpro, rpro = find_remote_project(name, skip_access) + !lpro.nil? and !lpro.remoteurl.nil? end def is_hidden?(name) @@ -191,7 +190,7 @@ class DbProject < ActiveRecord::Base return dbp end - def find_remote_project(name) + def find_remote_project(name, skip_access=false) return nil unless name fragments = name.split(/:/) local_project = String.new @@ -201,7 +200,12 @@ class DbProject < ActiveRecord::Base remote_project = [fragments.pop, remote_project].compact.join ":" local_project = fragments.join ":" logger.debug "checking local project #{local_project}, remote_project #{remote_project}" - lpro = DbProject.find_by_name local_project + if skip_access + # hmm calling a private class method is not the best idea.. + lpro = find_initial :conditions => ["name = BINARY ?", local_project] + else + lpro = DbProject.find_by_name local_project + end return lpro, remote_project unless lpro.nil? or lpro.remoteurl.nil? end return nil diff --git a/src/api/script/start_test_backend b/src/api/script/start_test_backend index 9878c6c..349bbe9 100755 --- a/src/api/script/start_test_backend +++ b/src/api/script/start_test_backend @@ -154,6 +154,7 @@ Suse::Backend.put( '/source/LocalProject/_meta', DbProject.find_by_name('LocalPr Suse::Backend.put( '/source/LocalProject/remotepackage/_meta', DbPackage.find_by_project_and_name("LocalProject", "remotepackage").to_axml) Suse::Backend.put( '/source/LocalProject/remotepackage/_link', "") Suse::Backend.put( '/source/RemoteInstance/_meta', DbProject.find_by_name('RemoteInstance').to_axml) +Suse::Backend.put( '/source/HiddenRemoteInstance/_meta', DbProject.find_by_name('HiddenRemoteInstance').to_axml) Suse::Backend.put( '/source/UseRemoteInstance/_meta', DbProject.find_by_name('UseRemoteInstance').to_axml) Suse::Backend.put( '/source/home:adrian:BaseDistro/_meta', DbProject.find_by_name('home:adrian:BaseDistro').to_axml) Suse::Backend.put( '/source/home:adrian:ProtectionTest/_meta', DbProject.find_by_name('home:adrian:ProtectionTest').to_axml) diff --git a/src/api/test/fixtures/db_projects.yml b/src/api/test/fixtures/db_projects.yml index 45adf8b..cad7774 100644 --- a/src/api/test/fixtures/db_projects.yml +++ b/src/api/test/fixtures/db_projects.yml @@ -147,6 +147,15 @@ homeadrianProtectionTest: description: "" created_at: 2005-01-01 00:00:01 +HiddenRemoteInstance: + name: HiddenRemoteInstance + updated_at: 2005-01-01 00:00:01 + title: Remoteurl project which is hidden (access disabled) + id: 3006 + remoteurl: http://localhost:3200 + description: "for testing hidden remoteurl projects (access disabled)" + created_at: 2005-01-01 00:00:01 + # For testing remote project handling (we are our own remote instance) RemoteInstance: name: RemoteInstance diff --git a/src/api/test/fixtures/flags.yml b/src/api/test/fixtures/flags.yml index c8ecf2a..66059fc 100644 --- a/src/api/test/fixtures/flags.yml +++ b/src/api/test/fixtures/flags.yml @@ -77,6 +77,12 @@ hide_project: flag: access position: 1 +hide_remoteurlproject: + status: "disable" + db_project_id: 3006 + flag: access + position: 1 + source_protected_project: status: "disable" db_project_id: 3001 diff --git a/src/api/test/fixtures/project_user_role_relationships.yml b/src/api/test/fixtures/project_user_role_relationships.yml index 97c57ca..564f8dd 100644 --- a/src/api/test/fixtures/project_user_role_relationships.yml +++ b/src/api/test/fixtures/project_user_role_relationships.yml @@ -72,6 +72,11 @@ hiddenproject_maintainer_homer: bs_user_id: 46 role_id: 3 +hiddenremoteurlproject_maintainer_homer: + db_project_id: 3006 + bs_user_id: 46 + role_id: 3 + sourceaccess_project_maintainer_homer: db_project_id: 3001 bs_user_id: 49 diff --git a/src/api/test/functional/interconnect_test.rb b/src/api/test/functional/interconnect_test.rb index fe3c7d4..bffb122 100644 --- a/src/api/test/functional/interconnect_test.rb +++ b/src/api/test/functional/interconnect_test.rb @@ -240,4 +240,43 @@ end assert_response :success end + def test_get_packagelist_with_hidden_remoteurlproject + prepare_request_with_user "tom", "thunder" + get "/source/HiddenRemoteInstance" + assert_response 404 + get "/source/HiddenRemoteInstance:BaseDistro" + assert_response 404 + ActionController::IntegrationTest::reset_auth + prepare_request_with_user "hidden_homer", "homer" + get "/source/HiddenRemoteInstance" + assert_response :success + get "/source/HiddenRemoteInstance:BaseDistro" + assert_response :success + end + + def test_read_access_hidden_remoteurlproject_index + prepare_request_with_user "tom", "thunder" + get "/build/HiddenRemoteInstance:BaseDistro/BaseDistro_repo/i586/_repository" + assert_response 404 + get "/build/HiddenRemoteInstance:BaseDistro/BaseDistro_repo/i586/_repository?view=cache" + assert_response 404 + get "/build/HiddenRemoteInstance:BaseDistro/BaseDistro_repo/i586/_repository?view=binaryversions" + assert_response 404 + get "/build/HiddenRemoteInstance:BaseDistro/BaseDistro_repo/i586/_repository?view=cpio" + assert_response 404 + get "/build/HiddenRemoteInstance:BaseDistro/BaseDistro_repo/i586/pack1" + assert_response 404 + ActionController::IntegrationTest::reset_auth + prepare_request_with_user "hidden_homer", "homer" + get "/build/HiddenRemoteInstance:BaseDistro/BaseDistro_repo/i586/_repository" + assert_response :success + get "/build/HiddenRemoteInstance:BaseDistro/BaseDistro_repo/i586/_repository?view=cache" + assert_response :success + get "/build/HiddenRemoteInstance:BaseDistro/BaseDistro_repo/i586/_repository?view=binaryversions" + assert_response :success + get "/build/HiddenRemoteInstance:BaseDistro/BaseDistro_repo/i586/_repository?view=cpio" + assert_response :success + get "/build/HiddenRemoteInstance:BaseDistro/BaseDistro_repo/i586/pack1" + assert_response :success + end end -- 1.6.0.2 -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org