Fixes the permission issue with import-all.

Closes #373
pulp · Jun 24, 2024 · 4e7084d · 4e7084d
1 parent d37fd49
commit 4e7084d
Show file tree

Hide file tree

Showing 4 changed files with 136 additions and 3 deletions.
diff --git a/CHANGES/373.bugfix b/CHANGES/373.bugfix
@@ -0,0 +1 @@
+Fixed an issue when trying to use import-all as a non-admin user.
diff --git a/pulp_ostree/app/tasks/importing.py b/pulp_ostree/app/tasks/importing.py
@@ -42,8 +42,7 @@ def import_all_refs_and_commits(artifact_pk, repository_pk, repository_name):
         repository_name (str): The name of an OSTree repository (e.g., "repo").
 
     Raises:
-        ValueError: If an OSTree repository could not be properly parsed or the specified ref
-            does not exist.
+        ValueError: If an OSTree repository could not be properly parsed.
     """
     tarball_artifact = Artifact.objects.get(pk=artifact_pk)
     repository = Repository.objects.get(pk=repository_pk)

diff --git a/pulp_ostree/app/viewsets.py b/pulp_ostree/app/viewsets.py
@@ -160,7 +160,7 @@ class OstreeRepositoryViewSet(core.RepositoryViewSet, ModifyRepositoryActionMixi
                 "principal": "authenticated",
                 "effect": "allow",
                 "condition": [
-                    "has_model_or_domain_or_obj_perms:ostree.import_commits_ostreerepository"
+                    "has_model_or_domain_or_obj_perms:ostree.import_commits_ostreerepository",
                     "has_model_or_domain_or_obj_perms:ostree.view_ostreerepository",
                 ],
             },

diff --git a/pulp_ostree/tests/functional/api/test_import.py b/pulp_ostree/tests/functional/api/test_import.py
@@ -354,3 +354,136 @@ def test_import_commits_same_ref(
     assert added_content["ostree.commit"]["count"] == 1
     assert added_content["ostree.content"]["count"] == 2
     assert added_content["ostree.summary"]["count"] == 1
+
+
+@pytest.mark.parallel
+def test_import_all_as_ostree_repo_admin(
+    pulpcore_bindings,
+    gen_user,
+    role_factory,
+    gen_object_with_cleanup,
+    monitor_task,
+    ostree_repository_factory,
+    ostree_repositories_api_client,
+    ostree_repositories_versions_api_client,
+    tmp_path,
+):
+    """Create a role for ostree admin, then import a repository with import-all."""
+    role_factory(
+        name="ostree.admin",
+        description="ostree admin test role",
+        permissions=[
+            "core.add_compositecontentguard",
+            "core.add_domain",
+            "core.add_headercontentguard",
+            "ostree.add_ostreedistribution",
+            "ostree.add_ostreeremote",
+            "ostree.add_ostreerepository",
+            "ostree.view_ostreerepository",
+            "ostree.change_ostreerepository",
+            "ostree.delete_ostreerepository",
+            "ostree.import_commits_ostreerepository",
+            "ostree.manage_roles_ostreerepository",
+            "ostree.modify_ostreerepository",
+            "ostree.repair_ostreerepository",
+            "ostree.sync_ostreerepository",
+            "ostree.view_ostreerepository",
+            "ostree.add_ostreerepository",
+            "ostree.view_ostreeremote",
+            "ostree.change_ostreeremote",
+            "ostree.delete_ostreeremote",
+            "ostree.manage_roles_ostreeremote",
+            "ostree.view_ostreeremote",
+            "ostree.add_ostreeremote",
+            "ostree.view_ostreedistribution",
+            "ostree.change_ostreedistribution",
+            "ostree.delete_ostreedistribution",
+            "ostree.manage_roles_ostreedistribution",
+            "ostree.view_ostreedistribution",
+            "ostree.add_ostreedistribution",
+            "core.replicate_upstreampulp",
+            "core.view_upload",
+            "core.change_upload",
+            "core.delete_upload",
+            "core.manage_roles_upload",
+            "core.view_upload",
+            "core.add_upload",
+            "core.view_task",
+            "core.change_task",
+            "core.delete_task",
+            "core.manage_roles_task",
+            "core.view_task",
+            "core.view_taskschedule",
+            "core.manage_roles_taskschedule",
+            "core.view_taskschedule",
+            "core.download_rbaccontentguard",
+            "core.view_rbaccontentguard",
+            "core.change_rbaccontentguard",
+            "core.delete_rbaccontentguard",
+            "core.manage_roles_rbaccontentguard",
+            "core.view_rbaccontentguard",
+            "core.add_rbaccontentguard",
+            "core.view_headercontentguard",
+            "core.change_headercontentguard",
+            "core.delete_headercontentguard",
+            "core.manage_roles_headercontentguard",
+            "core.view_headercontentguard",
+            "core.add_headercontentguard",
+            "core.view_group",
+            "core.change_group",
+            "core.delete_group",
+            "core.manage_roles_group",
+            "core.view_group",
+            "core.add_group",
+            "core.view_domain",
+            "core.change_domain",
+            "core.delete_domain",
+            "core.manage_roles_domain",
+            "core.view_domain",
+            "core.add_domain",
+            "core.view_contentredirectcontentguard",
+            "core.change_contentredirectcontentguard",
+            "core.delete_contentredirectcontentguard",
+            "core.manage_roles_contentredirectcontentguard",
+            "core.view_contentredirectcontentguard",
+            "core.add_contentredirectcontentguard",
+            "core.view_compositecontentguard",
+            "core.change_compositecontentguard",
+            "core.delete_compositecontentguard",
+            "core.manage_roles_compositecontentguard",
+            "core.view_compositecontentguard",
+            "core.add_compositecontentguard",
+        ],
+    )
+
+    os.chdir(tmp_path)
+    repo_name = "repo"
+    sample_dir = tmp_path / str(uuid.uuid4())
+    sample_file1 = sample_dir / str(uuid.uuid4())
+    branch_name = "foo"
+
+    # 1. create a first file
+    sample_dir.mkdir()
+    sample_file1.touch()
+
+    # 2. initialize a local OSTree repository and commit the created file
+    subprocess.run(["ostree", f"--repo={repo_name}", "init", "--mode=archive"])
+    subprocess.run(
+        ["ostree", f"--repo={repo_name}", "commit", f"--branch={branch_name}", f"{sample_dir}/"]
+    )
+    subprocess.run(["tar", "-cvf", f"{repo_name}.tar", f"{repo_name}/"])
+
+    user = gen_user(model_roles=["ostree.admin"])
+
+    with user:
+        artifact = gen_object_with_cleanup(pulpcore_bindings.ArtifactsApi, f"{repo_name}.tar")
+        repo = ostree_repository_factory(name=repo_name)
+        commit_data = OstreeImportAll(artifact.pulp_href, repo_name)
+        response = ostree_repositories_api_client.import_all(repo.pulp_href, commit_data)
+
+    repo_version = monitor_task(response.task).created_resources[0]
+
+    repository_version = ostree_repositories_versions_api_client.read(repo_version)
+    added_content = repository_version.content_summary.added
+    assert added_content["ostree.refs"]["count"] == 1
+    assert added_content["ostree.commit"]["count"] == 1
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Fixed an issue when trying to use import-all as a non-admin user.