| Age | Commit message (Collapse) | Author |
|---|
|
ever allowing them
This commit allows the auth system to handle Temp traits (by just treating them as public traits)
|
|
|
|
Add delete-test-users which reads the credentials file produced by
create-test-users and deletes all listed users unconditionally via
delete_users_by_id, bypassing policy checks. Intended for CI teardown.
|
|
Add delete-oauth2-client which reads a credentials file produced
by create-oauth2-client or create-test-oauth2-client and removes the
client and its associated tokens from the database.
|
|
Add create-test-oauth2-client which reads the users-file produced
by create-test-users to find the client owner, auto-generates the client
name with the session timestamp, and delegates to __create_one_client__.
|
|
Add a __create_one_client__ helper that constructs an OAuth2Client,
hashes the secret, persists it via save_client, and returns a credential
record dict. Add create-oauth2-client CLI command that exposes all client
parameters explicitly. Preparation for reuse by create-test-oauth2-client.
|
|
Add create_test_users which auto-generates timestamped emails and random
passwords for ephemeral test accounts, delegating DB creation to the
__create_one_user__ helper introduced in the previous commit.
|
|
Refactor create_users to delegate per-user DB creation to a shared
__create_one_user__ helper. No behaviour change — preparation for
reuse by the forthcoming create_test_users command.
|
|
Add a delete-users command that removes one or more users by UUID,
unconditionally bypassing the policy checks in the HTTP endpoint.
Delegates to delete_users_by_id from the authorisation users models.
|
|
|
|
Add a low-level delete_users_by_id function that removes users and all
their dependent data unconditionally, bypassing the policy checks in the
'/auth/users/delete' HTTP endpoint (which refuses to delete privileged
users).
This is intended for use by CLI test-teardown commands and the
sudo-wrapped CI cleanup script. It might also find utility in other
places where we do actually need to delete a user and their data
unconditionally.
Co-authored-by: Frederick Muriuki Muriithi <fredmanglis@gmail.com>
|
|
Add a general-purpose `create-users` command that creates one or more
users with explicitly specified name, email, password and role.
Supported roles: system-admin (assigns default roles plus
grant_sysadmin_role), none (assigns default roles only).
Output is written as JSON to a file (with 0600 permissions) or stdout.
Helper functions __parse_user_spec__ and __write_output__ are factored
out for reuse by the forthcoming create-test-users command.
|
|
|
|
The startup checks should be used sparingly, if at all, and they
override every other setting.
|
|
|
|
|
|
In preparation for migrating to pyproject.toml (from setup.py and
friends) we need to have only one top-level package. This will also
help in improving testing and checks down the line, since everything
will be relative to one single top-level directory.
|
|
In preparation for migrating to pyproject.toml (from setup.py and
friends) we need to have only one top-level package. This will also
help in improving testing and checks down the line, since everything
will be relative to one single top-level directory.
|
|
The `gn_auth.auth.authorisation.resources.checks.can_[edit/delete]`
functions duplicate the utility provided by similar named functions in
the `gn_libs.privileges.resources` package. These ones are, thus,
deprecated in favour of the gn-libs ones.
|
|
The `gn_auth.auth.authorisation.resources.checks.can_view` function is
no longer used in this code base. It can be safely removed.
|
|
|
|
|
|
To avoid failures later due to missing keys, we initialise the initial
value used in reduce to a dict with empty tuples for every key.
|
|
Fetch resources using the dataset names (and trait names where
relevant) to simplify the code, and make it clearer what the endpoint
actually does.
|
|
|
|
|
|
|
|
|
|
Replace the functions and classes in `gn_auth.auth.db.sqlite3` with
those in `gn_libs.sqlite3` to reduce duplications.
Deprecate the `gn_auth.auth.db.sqlite3` module and the remaining
function(s) within in preparation for removal.
|
|
|
|
To help with debugging and traceability, both in development and
production, we need to be able to turn individual module loggers on or
off in a flexible way. This commit enables that.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The default system-level privilege is the "public-view", i.e. the
users can view basic details about the Genenetwork system. If no
authorisation is provided when accessing the /auth/system/roles
endpoint, return the default role/privilege.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Return a count of the total number of resources that the user has
access to even if we are only interested in a few of the records.
|
|
|
|
|
|
|
|
|
