Add support for invalidating users JWTs #17465
Conversation
shweta83
added
No-CherryPick
| @@ -307,6 +308,88 @@ def test_positive_create_product_with_limited_user_permission( | |||
| assert newsession.product.search(product_name)[0]['Name'] == product_name | |||
|
|
|||
|
|
|||
| @pytest.mark.rhel_ver_match('8') | |||
There was a problem hiding this comment.
Do we really need tier decorator now? What is the purpose to use it. I thought it has become obsolete now.
There was a problem hiding this comment.
Frankly, I don't know. At least for consistency, I would expect it to be there. Best to ask CI team what is expected regarding tier decorators.
There was a problem hiding this comment.
I remember a discussion over it and I think it is not required but would like to have some thoughts on it.
@devendra104 wdyt?
tests/foreman/ui/test_user.py
Outdated
| :id: be328fd7-b640-4080-9373-25f96ba2aef6 | ||
|
|
||
| :steps: | ||
| 1. Create an admin user and an non-admin user with "edit_users" and "view_users" permissions. |
There was a problem hiding this comment.
Should there also be a test for a user without edit_users and view_users permissions invalidating their own JWT token?
There was a problem hiding this comment.
It doesn't work with UI as Administer -> Settings -> User tab won't be visible without these permissions so I left that out.
There was a problem hiding this comment.
From the ticket, Scope part:
A user can invalidate self's token
There was a problem hiding this comment.
Yeah, that too needs same permissions for UI.
| 'password': password, | ||
| } | ||
| role = module_target_sat.cli.Role.info({'name': 'Register hosts'}) | ||
| module_target_sat.cli.User.add_role({'id': non_admin_user.id, 'role-id': role['id']}) |
There was a problem hiding this comment.
Can you add the role while creating the user?
There was a problem hiding this comment.
This was intentionally done . There are 2 roles in it.
| result = session.login.logout() | ||
|
|
||
| session.login.login(login_details) | ||
| session.user.invalidate_jwt(admin_user.login) |
There was a problem hiding this comment.
You don't assert anything after invalidating admin's token.
There was a problem hiding this comment.
Yes, I missed that. Updated.
| activation_keys=[ak.name], | ||
| force=True, | ||
| ) | ||
| assert result.status == 1, f'Failed to register host: {result.stderr}' |
There was a problem hiding this comment.
There is probably a wrong error message when this fails. Also, it may be worth it checking more than just status.
tests/foreman/ui/test_user.py
Outdated
| session.organization.select(org.name) | ||
| session.location.select(module_location.name) | ||
| user_cfg = user_nailgun_config(non_admin_user, password) | ||
| result = rhel_contenthost.api_register( |
There was a problem hiding this comment.
I may be missing something here. Where do you generate the JWT? Does api_register do it? How come it doesn't do the same, i.e. generate a new JWT, when you use it the second time?
There was a problem hiding this comment.
The token generated by registration command is the one. But, I have missed one point earlier which I have updated in the code. Please check.
shweta83
force-pushed
the
jwt_invalidate
branch
from
a386f15 to
8fb7c35
Compare
|
trigger: test-robottelo |
|
PRT Result |
Satellite-QE
added
the
PRT-Failed
shweta83
force-pushed
the
jwt_invalidate
branch
3 times, most recently
from
61314c6 to
a71c6af
Compare
|
trigger: test-robottelo |
|
PRT Result |
Satellite-QE
added
PRT-Passed
Satellite-QE
removed
the
PRT-Passed
shweta83
force-pushed
the
jwt_invalidate
branch
from
6784110 to
795d840
Compare
|
trigger: test-robottelo |
|
PRT Result |
Satellite-QE
added
the
PRT-Passed
Problem Statement
Add support for Invalidate JWT feature : SAT-27385
Solution
Added support for it.
Related Issues
SatelliteQE/airgun#1721