From d2d18ca00d52dc44bba36fffd18079dde1565ef1 Mon Sep 17 00:00:00 2001 From: John Davis Date: Tue, 13 Aug 2024 09:36:00 -0400 Subject: [PATCH] tmp --- lib/galaxy/model/security.py | 132 ++++++++++-------- .../webapps/galaxy/controllers/admin.py | 9 +- test/unit/data/model/conftest.py | 10 ++ test/unit/data/model/db/test_security.py | 21 +++ 4 files changed, 112 insertions(+), 60 deletions(-) create mode 100644 test/unit/data/model/db/test_security.py diff --git a/lib/galaxy/model/security.py b/lib/galaxy/model/security.py index f7cc4f31120c..892266ade11f 100644 --- a/lib/galaxy/model/security.py +++ b/lib/galaxy/model/security.py @@ -1458,7 +1458,8 @@ def get_showable_folders( self.get_showable_folders(user, roles, folder, actions_to_check, showable_folders=showable_folders) return showable_folders - # def set_user_group_and_role_associations( + + #def set_user_group_and_role_associations( # self, user_id: int, group_ids: Optional[List[int]] = None, role_ids: Optional[List[int]] = None # ) -> None: # """ Set user groups and user roles, replacing current associations.""" @@ -1466,69 +1467,82 @@ def get_showable_folders( # self._set_user_roles(user_id, role_ids or []) # self.sa_session.commit() # + + + + def set_group_user_and_role_associations( - # TODO set group type self, - group, + group: Group, *, user_ids: Optional[List[int]] = None, role_ids: Optional[List[int]] = None, ) -> None: """Set group users and group roles, replacing current associations.""" self._ensure_model_instance_has_id(group) - self._set_group_users(group.id, user_ids or []) - self._set_group_roles(group.id, role_ids or []) + set_group_users(group.id, user_ids or [], self.sa_session) + set_group_roles(group.id, role_ids or [], self.sa_session) - # - # def set_role_user_and_group_associations( - # self, role_id: int, user_ids: Optional[List[int]] = None, group_ids: Optional[List[int]] = None - # ) -> None: - # """ Set role users and role groups, replacing current associations.""" - # self._set_group_users(role_id, user_ids or []) - # self._set_group_roles(role_id, grour_ids or []) - # self.sa_session.commit() - # - # def _set_user_groups(self, user, groups): - # delete_stmt = delete(UserGroupAssociation).where(UserGroupAssociation.user_id == user.id) - # insert_values = [{"user_id": user.id, "group_id": group_id} for group_id in groups] - # self._set_associations(UserGroupAssociation, delete_stmt, insert_values) + #self._set_group_users(group.id, user_ids or []) + #self._set_group_roles(group.id, role_ids or []) + + + def set_role_user_and_group_associations( + self, + role: Role, + *, + user_ids: Optional[List[int]] = None, + group_ids: Optional[List[int]] = None, + ) -> None: + """ Set role users and role groups, replacing current associations.""" + self._ensure_model_instance_has_id(role) + self._set_role_users(role.id, user_ids or []) + self._set_role_groups(role.id, group_ids or []) + + #def _set_user_groups(self, user, groups): + # delete_stmt = delete(UserGroupAssociation).where(UserGroupAssociation.user_id == user.id) + # insert_values = [{"user_id": user.id, "group_id": group_id} for group_id in groups] + # self._set_associations(UserGroupAssociation, delete_stmt, insert_values) + + # def _set_user_roles(self, user, roles): + # delete_stmt = delete(UserRoleAssociation).where(UserRoleAssociation.user_id == user.id) + # insert_values = [{"user_id": user.id, "role_id": role_id} for role_id in roles] + # self._set_associations(UserRoleAssociation, delete_stmt, insert_values) # - def _ensure_model_instance_has_id(self, model_instance): - # If model_instance is new, it may have not been assigned a database id yet, which is required - # for creating association records. Flush if that's the case. - if model_instance.id is None: - self.sa_session.flush([model_instance]) def _set_group_users(self, group_id, users): delete_stmt = delete(UserGroupAssociation).where(UserGroupAssociation.group_id == group_id) insert_values = [{"group_id": group_id, "user_id": user_id} for user_id in users] self._set_associations(UserGroupAssociation, delete_stmt, insert_values) - # def _set_user_roles(self, user, roles): - # delete_stmt = delete(UserRoleAssociation).where(UserRoleAssociation.user_id == user.id) - # insert_values = [{"user_id": user.id, "role_id": role_id} for role_id in roles] - # self._set_associations(UserRoleAssociation, delete_stmt, insert_values) - # - # def _set_role_users(self, role, users): - # delete_stmt = delete(UserRoleAssociation).where(UserRoleAssociation.role_id == role.id) - # insert_values = [{"role_id": role.id, "user_id": user_id} for user_id in users] - # self._set_associations(UserRoleAssociation, delete_stmt, insert_values) - # def _set_group_roles(self, group_id, roles): delete_stmt = delete(GroupRoleAssociation).where(GroupRoleAssociation.group_id == group_id) insert_values = [{"group_id": group_id, "role_id": role_id} for role_id in roles] self._set_associations(GroupRoleAssociation, delete_stmt, insert_values) - # def _set_role_groups(self, role, groups): - # delete_stmt = delete(GroupRoleAssociation).where(GroupRoleAssociation.role_id == role.id) - # insert_values = [{"role_id": role.id, "group_id": group_id} for group_id in groups] - # self._set_associations(GroupRoleAssociation, delete_stmt, insert_values) + def _set_role_users(self, role_id, users): + delete_stmt = delete(UserRoleAssociation).where(UserRoleAssociation.role_id == role_id) + insert_values = [{"role_id": role_id, "user_id": user_id} for user_id in users] + self._set_associations(UserRoleAssociation, delete_stmt, insert_values) + + def _set_role_groups(self, role_id, groups): + delete_stmt = delete(GroupRoleAssociation).where(GroupRoleAssociation.role_id == role_id) + insert_values = [{"role_id": role_id, "group_id": group_id} for group_id in groups] + self._set_associations(GroupRoleAssociation, delete_stmt, insert_values) + + def _ensure_model_instance_has_id(self, model_instance): + # If model_instance is new, it may have not been assigned a database id yet, which is required + # for creating association records. Flush if that's the case. + if model_instance.id is None: + self.sa_session.flush([model_instance]) def _set_associations(self, assoc_model, delete_stmt, insert_values): - # Ensure parent model has a database-assigned id - if assoc_model.id is None: - self.sa_session.flush(assoc_model) + # TODO remove this + ## Ensure parent model has a database-assigned id + #if assoc_model.id is None: + # self.sa_session.flush(assoc_model) + # Delete current associations self.sa_session.execute(delete_stmt) # Create new associations @@ -1564,24 +1578,6 @@ def set_entity_user_associations(self, users=None, roles=None, groups=None, dele for group in groups: self.associate_components(user=user, group=group) - def set_entity_role_associations(self, roles=None, users=None, groups=None, delete_existing_assocs=True): - users = users or [] - roles = roles or [] - groups = groups or [] - for role in roles: - if delete_existing_assocs: - flush_needed = False - for a in role.users + role.groups: - self.sa_session.delete(a) - flush_needed = True - if flush_needed: - with transaction(self.sa_session): - self.sa_session.commit() - for user in users: - self.associate_components(user=user, role=role) - for group in groups: - self.associate_components(group=group, role=role) - def get_component_associations(self, **kwd): assert len(kwd) == 2, "You must specify exactly 2 Galaxy security components to check for associations." if "dataset" in kwd: @@ -1755,3 +1751,23 @@ def _walk_action_roles(permissions, query_action): yield action, roles elif action == query_action.action and roles: yield action, roles + + + + + + + + + + + + + + + + + + + + diff --git a/lib/galaxy/webapps/galaxy/controllers/admin.py b/lib/galaxy/webapps/galaxy/controllers/admin.py index 43cdfcbf1550..c94413238eff 100644 --- a/lib/galaxy/webapps/galaxy/controllers/admin.py +++ b/lib/galaxy/webapps/galaxy/controllers/admin.py @@ -834,7 +834,13 @@ def manage_users_and_groups_for_role(self, trans, payload=None, **kwd): trans.sa_session.delete(dhp) with transaction(trans.sa_session): trans.sa_session.commit() - trans.app.security_agent.set_entity_role_associations(roles=[role], users=in_users, groups=in_groups) + + + trans.app.security_agent.set_role_user_and_group_associations( + role, user_ids=user_ids, group_ids=group_ids + + with transaction(trans.sa_session): + trans.sa_session.commit() trans.sa_session.refresh(role) return { "message": f"Role '{role.name}' has been updated with {len(in_users)} associated users and {len(in_groups)} associated groups." @@ -923,7 +929,6 @@ def manage_users_and_roles_for_group(self, trans, payload=None, **kwd): ) with transaction(trans.sa_session): trans.sa_session.commit() - trans.sa_session.refresh(group) return { "message": f"Group '{group.name}' has been updated with {len(user_ids)} associated users and {len(role_ids)} associated roles." diff --git a/test/unit/data/model/conftest.py b/test/unit/data/model/conftest.py index 26ea7d8b7cc2..2d06aacea26b 100644 --- a/test/unit/data/model/conftest.py +++ b/test/unit/data/model/conftest.py @@ -149,6 +149,16 @@ def f(**kwd): return f +@pytest.fixture +def make_group(session): + def f(**kwd): + model = m.Group(**kwd) + write_to_db(session, model) + return model + + return f + + @pytest.fixture def make_hda(session, make_history): def f(**kwd): diff --git a/test/unit/data/model/db/test_security.py b/test/unit/data/model/db/test_security.py new file mode 100644 index 000000000000..9c1e69d7c413 --- /dev/null +++ b/test/unit/data/model/db/test_security.py @@ -0,0 +1,21 @@ +from galaxy.model.security import GalaxyRBACAgent + + +def test_set_group_user_and_role_associations(make_user, make_role, make_group): + users = [make_user() for _ in range(3)] + roles = [make_role() for _ in range(3)] + + user_ids = [users[0].id, users[1].id] # first and second user + role_ids = [role.id for role in roles] # all roles + + group = make_group() + assert len(group.users) == 0 + assert len(group.roles) == 0 + + db.group.set_group_user_and_role_associations(group, user_ids=user_ids, role_ids=role_ids) + + assert len(group.users) == 2 + assert len(group.roles) == 3 + # also verify ids + +