Merge pull request #1658 from arenadata/develop

Release 2022.03.25

.github/CODEOWNERS

@@ -1,5 +1,5 @@
 * @arenadata/python
-/tests/functional/ @arenadata/python-qa
-/tests/ui_tests/ @arenadata/python-qa
-/tests/api/ @arenadata/python-qa
+/tests/functional/ @arenadata/python-web-qa
+/tests/ui_tests/ @arenadata/python-web-qa
+/tests/api/ @arenadata/python-web-qa
 /web/ @arenadata/angular

Makefile

@@ -3,7 +3,7 @@ BRANCH_NAME ?= $(shell git rev-parse --abbrev-ref HEAD)
 
 ADCMBASE_IMAGE ?= hub.arenadata.io/adcm/base
 ADCMTEST_IMAGE ?= hub.arenadata.io/adcm/test
-ADCMBASE_TAG ?= 20220125085601
+ADCMBASE_TAG ?= 20220323204419
 APP_IMAGE ?= hub.adsw.io/adcm/adcm
 APP_TAG ?= $(subst /,_,$(BRANCH_NAME))
 

conf/adcm/config.yaml

@@ -39,13 +39,15 @@
           type: integer
           required: false
           default: 365
+          min: 0
           description: |
             You can set the time (number of days) after which the logs will be deleted from the file system.
         - name: "log_rotation_in_db"
           display_name: "Log rotation from database"
           type: integer
           required: false
           default: 365
+          min: 0
           description: |
             You can set the time (number of days) after which the logs will be deleted from the database.
     - name: "ansible_settings"

pytest.sh

@@ -18,7 +18,7 @@ pip3 install -r requirements-test.txt
 find . -name "*.pyc" -type f -delete
 find . -name "__pycache__" -type d -delete
 { # try
-    pytest tests/api tests/functional tests/ui_tests -s -v -n auto --maxfail 30 \
+    pytest tests/api tests/functional tests/ui_tests -s -v -n auto \
     --showlocals --alluredir ./allure-results/ --durations=20 -p allure_pytest \
     --reruns 2 --remote-executor-host "$SELENOID_HOST" --timeout=1080 "$@" &&
     chmod -R o+xw allure-results

python/api/action/serializers.py

@@ -19,7 +19,7 @@
 import cm.adcm_config
 from cm.models import PrototypeConfig, SubAction
 
-from api.api_views import get_api_url_kwargs
+from api.utils import get_api_url_kwargs
 from api.config.serializers import ConfigSerializerUI
 
 

python/api/action/views.py

@@ -10,29 +10,31 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+from itertools import compress
+
+from django.contrib.contenttypes.models import ContentType
+from guardian.mixins import PermissionListMixin
 from rest_framework import permissions
 from rest_framework.response import Response
 
-from api.api_views import (
-    ListView,
-    DetailViewRO,
-    GenericAPIPermView,
+from api.base_view import GenericUIView
+from api.job.serializers import RunTaskSerializer
+from api.utils import (
     ActionFilter,
+    AdcmFilterBackend,
     create,
-    check_obj,
     filter_actions,
     permission_denied,
+    get_object_for_user,
 )
-from api.job.serializers import RunTaskSerializer
-
-from cm.job import get_host_object
 from cm.models import (
     Host,
     Action,
     TaskLog,
     HostComponent,
     get_model_by_type,
 )
+from rbac.viewsets import DjangoOnlyObjectPermissions
 from . import serializers
 
 
@@ -50,12 +52,14 @@ def get_obj(**kwargs):
     return obj, action_id
 
 
-class ActionList(ListView):
+class ActionList(PermissionListMixin, GenericUIView):
     queryset = Action.objects.all()
     serializer_class = serializers.ActionSerializer
     serializer_class_ui = serializers.ActionUISerializer
     filterset_class = ActionFilter
     filterset_fields = ('name', 'button', 'button_is_null')
+    filter_backends = (AdcmFilterBackend,)
+    permission_required = ['cm.view_action']
 
     def get(self, request, *args, **kwargs):  # pylint: disable=too-many-locals
         """
@@ -76,13 +80,13 @@ def get(self, request, *args, **kwargs):  # pylint: disable=too-many-locals
                     cluster, _ = get_obj(object_type='cluster', cluster_id=hc.cluster_id)
                     service, _ = get_obj(object_type='service', service_id=hc.service_id)
                     component, _ = get_obj(object_type='component', component_id=hc.component_id)
-                    for obj in [cluster, service, component]:
+                    for connect_obj in [cluster, service, component]:
                         actions.update(
                             filter_actions(
-                                obj,
+                                connect_obj,
                                 self.filter_queryset(
                                     self.get_queryset().filter(
-                                        prototype=obj.prototype, host_action=True
+                                        prototype=connect_obj.prototype, host_action=True
                                     )
                                 ),
                             )
@@ -108,36 +112,46 @@ def get(self, request, *args, **kwargs):  # pylint: disable=too-many-locals
                 ),
             )
             objects = {obj.prototype.type: obj}
-        serializer_class = self.select_serializer(request)
-        serializer = serializer_class(
+        # added filter actions by custom perm for run actions
+        perms = [f'cm.run_action_{a.display_name}' for a in actions]
+        mask = [request.user.has_perm(perm, obj) for perm in perms]
+        actions = list(compress(actions, mask))
+        serializer = self.get_serializer(
             actions, many=True, context={'request': request, 'objects': objects, 'obj': obj}
         )
         return Response(serializer.data)
 
 
-class ActionDetail(DetailViewRO):
+class ActionDetail(PermissionListMixin, GenericUIView):
     queryset = Action.objects.all()
     serializer_class = serializers.ActionDetailSerializer
     serializer_class_ui = serializers.ActionUISerializer
+    permission_classes = (DjangoOnlyObjectPermissions,)
+    permission_required = ['cm.view_action']
 
     def get(self, request, *args, **kwargs):
         """
         Show specified action
         """
-        obj, action_id = get_obj(**kwargs)
-        action = check_obj(Action, {'id': action_id}, 'ACTION_NOT_FOUND')
+        object_type, object_id, action_id = get_object_type_id(**kwargs)
+        model = get_model_by_type(object_type)
+        ct = ContentType.objects.get_for_model(model)
+        obj = get_object_for_user(
+            request.user, f'{ct.app_label}.view_{ct.model}', model, id=object_id
+        )
+        # TODO: we can access not only the actions of this object
+        action = get_object_for_user(request.user, 'cm.view_action', Action, id=action_id)
         if isinstance(obj, Host) and action.host_action:
             objects = {'host': obj}
         else:
             objects = {action.prototype.type: obj}
-        serializer_class = self.select_serializer(request)
-        serializer = serializer_class(
+        serializer = self.get_serializer(
             action, context={'request': request, 'objects': objects, 'obj': obj}
         )
         return Response(serializer.data)
 
 
-class RunTask(GenericAPIPermView):
+class RunTask(GenericUIView):
     queryset = TaskLog.objects.all()
     serializer_class = RunTaskSerializer
     permission_classes = (permissions.IsAuthenticated,)
@@ -148,9 +162,6 @@ def has_action_perm(self, action, obj):
         if user.has_perm('cm.add_task'):
             return True
 
-        if action.host_action:
-            obj = get_host_object(action, obj.cluster)
-
         return user.has_perm(f'cm.run_action_{action.display_name}', obj)
 
     def check_action_perm(self, action, obj):
@@ -161,8 +172,13 @@ def post(self, request, *args, **kwargs):
         """
         Ran specified action
         """
-        obj, action_id = get_obj(**kwargs)
-        action = check_obj(Action, {'id': action_id}, 'ACTION_NOT_FOUND')
+        object_type, object_id, action_id = get_object_type_id(**kwargs)
+        model = get_model_by_type(object_type)
+        ct = ContentType.objects.get_for_model(model)
+        obj = get_object_for_user(
+            request.user, f'{ct.app_label}.view_{ct.model}', model, id=object_id
+        )
+        action = get_object_for_user(request.user, 'cm.view_action', Action, id=action_id)
         self.check_action_perm(action, obj)
-        serializer = self.serializer_class(data=request.data, context={'request': request})
+        serializer = self.get_serializer(data=request.data)
         return create(serializer, action=action, task_object=obj)

python/api/adcm/serializers.py

@@ -12,7 +12,7 @@
 
 from rest_framework import serializers
 
-from api.api_views import hlink, CommonAPIURL
+from api.utils import hlink, CommonAPIURL
 from api.concern.serializers import ConcernItemSerializer
 from api.serializers import StringListSerializer
 from cm.adcm_config import get_main_info

python/api/adcm/views.py

@@ -10,12 +10,15 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+from rest_framework import permissions
+from rest_framework.response import Response
+
 from cm.models import ADCM
-from api.api_views import DetailViewRO, ListView
+from api.base_view import GenericUIView, DetailView
 from . import serializers
 
 
-class AdcmList(ListView):
+class AdcmList(GenericUIView):
     """
     get:
     List adcm object
@@ -24,9 +27,15 @@ class AdcmList(ListView):
     queryset = ADCM.objects.all()
     serializer_class = serializers.AdcmSerializer
     serializer_class_ui = serializers.AdcmDetailUISerializer
+    permission_classes = (permissions.IsAuthenticated,)
+
+    def get(self, request, *args, **kwargs):
+        obj = self.get_queryset()
+        serializer = self.get_serializer(obj, many=True)
+        return Response(serializer.data)
 
 
-class AdcmDetail(DetailViewRO):
+class AdcmDetail(DetailView):
     """
     get:
     Show adcm object
@@ -35,6 +44,7 @@ class AdcmDetail(DetailViewRO):
     queryset = ADCM.objects.all()
     serializer_class = serializers.AdcmDetailSerializer
     serializer_class_ui = serializers.AdcmDetailUISerializer
+    permission_classes = (permissions.IsAuthenticated,)
     lookup_field = 'id'
     lookup_url_kwarg = 'adcm_id'
     error_code = 'ADCM_NOT_FOUND'