added support admins pluginconfig managemnent #1470

[federicofantini]

Description

Added support to admin permission management plugin config: now you don't need to be an owner but just be an admin of an organization.
NOTE: this update do not cover the frontend.

Type of change

• New feature (non-breaking change which adds functionality).

Checklist

• I have read and understood the rules about how to Contribute to this project
• The pull request is for the branch develop
• A new plugin (analyzer, connector, visualizer, playbook or ingestor) was added or changed, in which case:
  • Usage file was updated.
  • Advanced-Usage was updated (in case the plugin provides additional optional configuration).
  • If the plugin requires mocked testing, _monkeypatch() was used in its class to apply the necessary decorators.
  • If a File analyzer was added and it supports a mimetype which is not already supported, you added a sample of that type inside the archive test_files.zip and you added the default tests for that mimetype in test_classes.py.
  • If you created a new analyzer and it is free (does not require API keys), please add it in the FREE_TO_USE_ANALYZERS playbook in playbook_config.json.
  • Check if it could make sense to add that analyzer/connector to other freely available playbooks.
  • I have provided the resulting raw JSON of a finished analysis and a screenshot of the results.
• If external libraries/packages with restrictive licenses were used, they were added in the Legal Notice section.
• Linters (Black, Flake, Isort) gave 0 errors. If you have correctly installed pre-commit, it does these checks and adjustments on your behalf.
• I have added tests for the feature/bug I solved (see tests folder). All the tests (new and old ones) gave 0 errors.
• If changes were made to an existing model/serializer/view, the docs were updated and regenerated (check CONTRIBUTE.md).
• If the GUI has been modified:
  • I have a provided a screenshot of the result in the PR.
  • I have created new frontend tests for the new component or updated existing ones.

[mlodic]

I leave the review to @0ssigeno only. Thanks for the contribution :)

[0ssigeno]

Unfortunately, with this condition, if you are an admin you can see the configuration of every other organization user values. This is obviously not intended.
1 - Can we add a test to verify or refute this claim?
2 - If the claim is valid, I would suggest something like

if membership.is_admin:

    Q(for_organization=True, owner__membership__organization=membership.organization) | 
    Q(owner=user) | Q(owner_isnull=True)

The test that you will make should fail before and pass after this change

[federicofantini]

I was reasoning that in this case being admin/owner/user is indifferent to the level of visibility of the configs in the org...
I think the following code should be enough:

# If you are member of an organization you should see the configs.
return self.filter(
    Q(for_organization=True, owner__membership__organization=membership.organization)
    | Q(owner=user)
    | Q(owner__isnull=True)
)

[0ssigeno]

If you are admin you can retrieve the value of another organization.
The check should be something like

 obj_owner = getattr(obj, "owner", None):
 # if the object was not made for an organization, we return false
if not obj_owner or not obj_owner.has_membership():
    return False
 else:
    # if we are admin we can e have to check that is our org
    return request.user.has_membership() and request.user.membership.is_admin and obj_owner.membership.organization == request.user.membership.organization

[0ssigeno]

You can remove the is_owner chec, since the owner is always admin

[0ssigeno]

Ok we starts to need some sort of comment in this boolean expression because it is breaking my mind.

This should mean

we raise ValidationError() when
1 - we are not owner  OR
2 - we are not admin of the same org

If I did not fucked up the boolean expression, the check seems valid to me, I would just suggest to add a comment because it took me 5 minutes to understand what was going on

[0ssigeno]

We need a comment here too, this is fucking me up.

We return `redacted` when
1) is a secret AND
2) is a value for the organization AND
3) we are not its owner  OR
4) we are not an admin of the same organization

if I did not fuck up the boolean expression, it seems good to me, just add a comment for future us

[codecov]

Codecov Report

Merging #1837 (16e1596) into develop (77977ed) will increase coverage by 0.02%.
Report is 12 commits behind head on develop.
The diff coverage is 66.66%.

@@             Coverage Diff             @@
##           develop    #1837      +/-   ##
===========================================
+ Coverage    76.20%   76.22%   +0.02%     
===========================================
  Files          378      381       +3     
  Lines        12380    12475      +95     
  Branches      1303     1315      +12     
===========================================
+ Hits          9434     9509      +75     
- Misses        2408     2426      +18     
- Partials       538      540       +2     

Files Changed	Coverage Δ
api_app/models.py	85.95% <ø> (+0.41%)	⬆️
api_app/queryset.py	95.50% <ø> (ø)
api_app/permissions.py	60.00% <20.00%> (-6.67%)	⬇️
api_app/views.py	85.47% <87.50%> (+0.16%)	⬆️
api_app/serializers.py	84.54% <100.00%> (+0.34%)	⬆️

... and 7 files with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 77977ed...16e1596. Read the comment docs.

[0ssigeno]

LGTM. The only thing missing is to allow the org owner to add/remove admins from the org panel in the frontend.
I will open a different issue to keep track of this.