ISD Sentry Server

Merge lp:~ricardokirkner/isd-sentry/require-team-decorator into lp:isd-sentry

require-team-decorator
Merge into trunk

Proposed by Ricardo Kirkner on 2012-09-17

Status:	Merged
Approved by:	Natalia Bidart on 2012-09-18
Approved revision:	21
Merged at revision:	13
Proposed branch:	lp:~ricardokirkner/isd-sentry/require-team-decorator
Merge into:	lp:isd-sentry
Diff against target:	202 lines (+119/-7) 8 files modified django_project/config/main.cfg (+1/-0) django_project/urls.py (+12/-4) fabtasks/database.py (+1/-1) fabtasks/development.py (+1/-1) isd_sentry/decorators.py (+29/-0) isd_sentry/schema.py (+2/-0) isd_sentry/tests.py (+69/-0) requirements.txt (+4/-1)
To merge this branch:	bzr merge lp:~ricardokirkner/isd-sentry/require-team-decorator
Related bugs:	Link a bug report

Reviewer	Date Requested	Status
Natalia Bidart (community)	2012-09-17	Approve on 2012-09-18
Tom Haddon	2012-09-17	Approve on 2012-09-18
Review via email: mp+124757@code.launchpad.net

Commit message

added decorator to restrict login to members of certain teams only

Description of the change

Added new decorator and monkeypatched sentry's login_required decorator so that all views requiring login also require users to be members of certain teams

lp:~ricardokirkner/isd-sentry/require-team-decorator updated on 2012-09-17

16. By Ricardo Kirkner on 2012-09-17: make sure to restrict which version of celery we can use
17. By Ricardo Kirkner on 2012-09-17: fixed incorrect decorator
18. By Ricardo Kirkner on 2012-09-17: changed flow following review

Revision history for this message

Tom Haddon (mthaddon) wrote on 2012-09-18:

Looks good. I'm approving in terms of assuming it does what it's designed to do - this isn't a code review as such, so you may need to have someone else do that if it's not testable.

review: Approve

lp:~ricardokirkner/isd-sentry/require-team-decorator updated on 2012-09-18

19. By Ricardo Kirkner on 2012-09-18: make isd_sentry a real django app
20. By Ricardo Kirkner on 2012-09-18: added tests
21. By Ricardo Kirkner on 2012-09-18: make sure to require django < 1.4

Revision history for this message

Natalia Bidart (nataliabidart) wrote on 2012-09-18:

Looks good! Also tested IRL and works as expected.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Canonical ISD hackers

Ricardo Kirkner

 === modified file 'django_project/config/main.cfg'
 --- django_project/config/main.cfg	2012-02-29 15:48:48 +0000
 +++ django_project/config/main.cfg	2012-09-18 14:10:23 +0000
@@ -28,6 +28,7 @@
      south
      django_openid_auth
      django_configglue
++    isd_sentry
  template_dirs =
      /usr/share/pyshared/sentry/templates
      %(basedir)s/isd_sentry/templates
 === modified file 'django_project/urls.py'
 --- django_project/urls.py	2012-02-27 15:17:45 +0000
 +++ django_project/urls.py	2012-09-18 14:10:23 +0000
@@ -1,9 +1,17 @@
  from django.contrib.auth.views import logout
--from sentry.conf.urls import *
--
--
--urlpatterns += patterns('',
++from django.conf.urls.defaults import include, patterns
++
++
++urlpatterns = patterns('',
      # OpenID views
      (r'^openid/', include('django_openid_auth.urls')),
      (r'^logout/$', logout, {'next_page': '/'}),
+ )
++
++# monkey patch sentry so login requires team membership
++import sentry.web.decorators
++from isd_sentry.decorators import requires_team
++sentry.web.decorators.login_required = requires_team
++
++from sentry.conf.urls import urlpatterns as sentry_patterns
++urlpatterns += sentry_patterns
 === modified file 'fabtasks/database.py'
 --- fabtasks/database.py	2012-02-27 15:18:10 +0000
 +++ fabtasks/database.py	2012-09-18 14:10:23 +0000
@@ -84,7 +84,7 @@
      pg_env = []
      env.postgres = {
--        'BIN': '/usr/lib/postgresql/8.4/bin',
++        'BIN': '/usr/lib/postgresql/9.1/bin',
          'DATABASE': env.database['NAME'],
+     }
 === modified file 'fabtasks/development.py'
 --- fabtasks/development.py	2012-02-27 13:29:34 +0000
 +++ fabtasks/development.py	2012-09-18 14:10:23 +0000
@@ -5,7 +5,7 @@
  from .environment import bootstrap, virtualenv_local
--def test(coverage=False, extra=''):
++def test(coverage=False, extra='isd_sentry'):
      """Run unit tests."""
      cmd = ['python django_project/manage.py test --noinput', extra]
      virtualenv_local(' '.join(cmd), capture=False)
 === added file 'isd_sentry/decorators.py'
 --- isd_sentry/decorators.py	1970-01-01 00:00:00 +0000
 +++ isd_sentry/decorators.py	2012-09-18 14:10:23 +0000
@@ -0,0 +1,29 @@
++from functools import wraps
++
++from django.conf import settings
++from django.http import HttpResponseBadRequest
++from django.template.loader import render_to_string
++
++from sentry.web.decorators import login_required
++
++
++def requires_team(func):
++    @wraps(func)
++    @login_required
++    def wrapped(request, *args, **kwargs):
++        allowed = True
++        restricted_teams = getattr(
++            settings, 'OPENID_RESTRICT_ACCESS_TO_TEAMS', [])
++        user_has_openid = (
++            getattr(request.user, 'useropenid_set') is not None and
++            request.user.useropenid_set.count())
++
++        if restricted_teams and user_has_openid:
++            teams = request.user.groups.filter(name__in=restricted_teams)
++            allowed = teams.count()
++
++        if not allowed:
++            return HttpResponseBadRequest(render_to_string(
++                'sentry/missing_permissions.html'))
++        return func(request, *args, **kwargs)
++    return wrapped
 === added file 'isd_sentry/models.py'
 === modified file 'isd_sentry/schema.py'
 --- isd_sentry/schema.py	2012-04-13 20:21:05 +0000
 +++ isd_sentry/schema.py	2012-09-18 14:10:23 +0000
@@ -29,6 +29,7 @@
          sentry_udp_host = StringOption()
          sentry_udp_port = IntOption()
          sentry_url_prefix = StringOption()
++        sentry_sample_data = BoolOption(default=True)
      class openid(Section):
          openid_create_users = BoolOption()
@@ -38,3 +39,4 @@
          openid_sreg_extra_fields = ListOption()
          openid_launchpad_teams_mapping = DictOption()
          openid_launchpad_staff_teams = ListOption()
++        openid_restrict_access_to_teams = ListOption()
 === added file 'isd_sentry/tests.py'
 --- isd_sentry/tests.py	1970-01-01 00:00:00 +0000
 +++ isd_sentry/tests.py	2012-09-18 14:10:23 +0000
@@ -0,0 +1,69 @@
++from django.test import TestCase
++from django.contrib.auth.models import User, Group
++from django.conf import settings
++from django_openid_auth.models import UserOpenID
++
++from mock import patch
++
++
++class RequiresTeamTestCase(TestCase):
++    def setUp(self):
++        self.user = User.objects.create_user('testuser', '', 'test')
++        # add user to the right team
++        group = Group.objects.create(name='test-team')
++        self.user.groups.add(group)
++        # fake user logged in via openid
++        UserOpenID.objects.create(user=self.user)
++
++    def test_deny_access_to_non_members(self):
++        with patch.object(settings, 'OPENID_RESTRICT_ACCESS_TO_TEAMS',
++                          ['other-team']):
++            self.client.login(username='testuser', password='test')
++            response = self.client.get('/1/')
++        self.assertEqual(response.status_code, 400)
++        self.assertTemplateUsed(response, 'sentry/missing_permissions.html')
++
++    def test_allow_access_to_members(self):
++        with patch.object(settings, 'OPENID_RESTRICT_ACCESS_TO_TEAMS',
++                          ['test-team']):
++            self.client.login(username='testuser', password='test')
++            response = self.client.get('/1/')
++        self.assertEqual(response.status_code, 200)
++
++    def test_dont_restrict_teams(self):
++        with patch.object(settings, 'OPENID_RESTRICT_ACCESS_TO_TEAMS', []):
++            self.client.login(username='testuser', password='test')
++            response = self.client.get('/1/')
++        self.assertEqual(response.status_code, 200)
++
++    def test_dont_restrict_standard_users_if_no_teams(self):
++        # remove openid link with user
++        UserOpenID.objects.all().delete()
++
++        with patch.object(settings, 'OPENID_RESTRICT_ACCESS_TO_TEAMS', []):
++            self.client.login(username='testuser', password='test')
++            response = self.client.get('/1/')
++        self.assertEqual(response.status_code, 200)
++
++    def test_dont_restrict_admin_access_to_staff(self):
++        staff = User.objects.create_user('staff', '', 'staff')
++        staff.is_staff = True
++        staff.save()
++
++        with patch.object(settings, 'OPENID_RESTRICT_ACCESS_TO_TEAMS',
++                          ['test-team']):
++            self.client.login(username='staff', password='staff')
++            response = self.client.get('/admin/')
++        self.assertEqual(response.status_code, 200)
++
++    def test_dont_restrict_admin_access_to_superuser(self):
++        superuser = User.objects.create_user('superuser', '', 'superuser')
++        superuser.is_superuser = True
++        superuser.save()
++
++        with patch.object(settings, 'OPENID_RESTRICT_ACCESS_TO_TEAMS',
++                          ['test-team']):
++            self.client.login(username='superuser', password='superuser')
++            response = self.client.get('/admin/')
++        self.assertEqual(response.status_code, 200)
++
 === modified file 'requirements.txt'
 --- requirements.txt	2012-02-27 13:29:59 +0000
 +++ requirements.txt	2012-09-18 14:10:23 +0000
@@ -1,4 +1,7 @@
--sentry
++celery<3
++django<1.4
  django_openid_auth
++mock
  psycopg2
  python-openid
++sentry