Merge pull request #432 from ARGOeu/devel

Version 3.4.1

CHANGELOG.md

@@ -1,5 +1,22 @@
 # Changelog
 
+## [3.4.1] - 2022-04-07
+
+### Added
+
+* ARGO-3499 Poem: Warn user if service exists in metric profile but not in aggregation profile
+* ARGO-3618 Token protected API view for metric templates on SuperPOEM
+
+### Changed
+
+* ARGO-3672 Color "eol" tag red
+* ARGO-3565 Improve fetching and caching data in reports page
+
+### Fixed
+
+* ARGO-3670 Error saving tags for passive metrics
+* ARGO-3667 Resolve security issues
+
 ## [3.4.0] - 2022-02-10
 
 ### Added

poem/Poem/api/internal_views/apikey.py

@@ -4,6 +4,7 @@
 from Poem.api.views import NotFound
 from Poem.poem import models as poem_models
 from django.db.models import Q
+from django_tenants.utils import get_public_schema_name
 from rest_framework import status
 from rest_framework.authentication import SessionAuthentication
 from rest_framework.response import Response
@@ -18,19 +19,24 @@ class ListAPIKeys(APIView):
     def get(self, request, name=None):
         if name:
             try:
-                userprofile = poem_models.UserProfile.objects.get(
-                    user=request.user
-                )
-                regular_user = not request.user.is_superuser and (
-                    len(userprofile.groupsofaggregations.all()) > 0 or
-                    len(userprofile.groupsofmetricprofiles.all()) > 0 or
-                    len(userprofile.groupsofthresholdsprofiles.all()) > 0
-                )
-                regular_user_no_perms = not request.user.is_superuser and (
-                    len(userprofile.groupsofaggregations.all()) == 0 and
-                    len(userprofile.groupsofmetricprofiles.all()) == 0 and
-                    len(userprofile.groupsofthresholdsprofiles.all()) == 0
-                )
+                if request.tenant.schema_name == get_public_schema_name():
+                    regular_user = None
+                    regular_user_no_perms = None
+
+                else:
+                    userprofile = poem_models.UserProfile.objects.get(
+                        user=request.user
+                    )
+                    regular_user = not request.user.is_superuser and (
+                        len(userprofile.groupsofaggregations.all()) > 0 or
+                        len(userprofile.groupsofmetricprofiles.all()) > 0 or
+                        len(userprofile.groupsofthresholdsprofiles.all()) > 0
+                    )
+                    regular_user_no_perms = not request.user.is_superuser and (
+                        len(userprofile.groupsofaggregations.all()) == 0 and
+                        len(userprofile.groupsofmetricprofiles.all()) == 0 and
+                        len(userprofile.groupsofthresholdsprofiles.all()) == 0
+                    )
                 if request.user.is_superuser or (
                     regular_user and name.startswith('WEB-API')
                 ) or (

poem/Poem/api/tests/test_apikey.py

@@ -69,11 +69,13 @@ def setUp(self):
 
     def test_permission_denied_in_case_no_authorization(self):
         request = self.factory.get(self.url)
+        request.tenant = self.tenant
         response = self.view(request)
         self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
 
     def test_get_list_of_apikeys(self):
         request = self.factory.get(self.url)
+        request.tenant = self.tenant
         force_authenticate(request, user=self.user)
         response = self.view(request)
         self.assertEqual(
@@ -114,6 +116,7 @@ def test_get_list_of_apikeys(self):
 
     def test_get_list_of_apikeys_regular_user_with_some_permissions(self):
         request = self.factory.get(self.url)
+        request.tenant = self.tenant
         force_authenticate(request, user=self.regular_user)
         response = self.view(request)
         self.assertEqual(
@@ -136,6 +139,7 @@ def test_get_list_of_apikeys_regular_user_with_some_permissions(self):
 
     def test_get_list_of_apikeys_regular_user_with_no_permissions(self):
         request = self.factory.get(self.url)
+        request.tenant = self.tenant
         force_authenticate(request, user=self.poor_user)
         response = self.view(request)
         self.assertEqual(
@@ -158,6 +162,7 @@ def test_get_list_of_apikeys_regular_user_with_no_permissions(self):
 
     def test_get_apikey_for_given_name(self):
         request = self.factory.get(self.url + 'EGI')
+        request.tenant = self.tenant
         force_authenticate(request, user=self.user)
         response = self.view(request, 'EGI')
         self.assertEqual(
@@ -173,6 +178,7 @@ def test_get_apikey_for_given_name(self):
 
     def test_get_apikey_for_given_name_regular_user(self):
         request = self.factory.get(self.url + 'EGI')
+        request.tenant = self.tenant
         force_authenticate(request, user=self.regular_user)
         response = self.view(request, 'EGI')
         self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
@@ -183,6 +189,7 @@ def test_get_apikey_for_given_name_regular_user(self):
 
     def test_get_apikey_for_given_name_regular_user_without_permissions(self):
         request = self.factory.get(self.url + 'EGI')
+        request.tenant = self.tenant
         force_authenticate(request, user=self.poor_user)
         response = self.view(request, 'EGI')
         self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
@@ -193,6 +200,7 @@ def test_get_apikey_for_given_name_regular_user_without_permissions(self):
 
     def test_get_apikey_for_webapi_name_regular_user(self):
         request = self.factory.get(self.url + 'WEB-API')
+        request.tenant = self.tenant
         force_authenticate(request, user=self.regular_user)
         response = self.view(request, 'WEB-API')
         self.assertEqual(
@@ -208,6 +216,7 @@ def test_get_apikey_for_webapi_name_regular_user(self):
 
     def test_get_apikey_for_webapi_name_regular_user_without_permissions(self):
         request = self.factory.get(self.url + 'WEB-API')
+        request.tenant = self.tenant
         force_authenticate(request, user=self.poor_user)
         response = self.view(request, 'WEB-API')
         self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
@@ -218,6 +227,7 @@ def test_get_apikey_for_webapi_name_regular_user_without_permissions(self):
 
     def test_get_apikey_for_webapi_ro_name_regular_user_without_perms(self):
         request = self.factory.get(self.url + 'WEB-API-RO')
+        request.tenant = self.tenant
         force_authenticate(request, user=self.poor_user)
         response = self.view(request, 'WEB-API-RO')
         self.assertEqual(

poem/Poem/api/tests/test_helpers.py

@@ -3256,6 +3256,27 @@ def test_update_all_metrics_on_metrictemplate_change(self, mock_update):
             )
         ], any_order=True)
 
+    @patch("Poem.helpers.metrics_helpers.update_metric_in_schema")
+    def test_update_all_passive_metrics_on_metrictemplate_change(
+            self, mock_update
+    ):
+        mock_update.side_effect = mocked_func
+        metrictemplate = admin_models.MetricTemplate.objects.get(
+            name="org.apel.APEL-Pub"
+        )
+        update_metrics(metrictemplate, "org.apel.APEL-Pub", None)
+        self.assertEqual(mock_update.call_count, 2)
+        mock_update.assert_has_calls([
+            call(
+                mt_id=metrictemplate.id, name="org.apel.APEL-Pub",
+                pk_id=None, schema="test", user=""
+            ),
+            call(
+                mt_id=metrictemplate.id, name="org.apel.APEL-Pub",
+                pk_id=None, schema="test2", user=""
+            )
+        ], any_order=True)
+
 
 class MetricsInProfilesTests(TenantTestCase):
     def setUp(self):