Add a special group to allow names with underscore (unioslo#521)

This commit adds a new permission group that allows members of that group to use the underscore character in names when creating all types of DNS records. Regular users are still only allowed to use underscores in SRV records.
terjekv · Nov 24, 2023 · 348d1a7 · 348d1a7
1 parent ac43c12
commit 348d1a7
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 3 deletions.
diff --git a/mreg/api/permissions.py b/mreg/api/permissions.py
@@ -10,6 +10,7 @@
 SUPERUSER_GROUP = 'SUPERUSER_GROUP'
 ADMINUSER_GROUP = 'ADMINUSER_GROUP'
 DNS_WILDCARD_GROUP = 'DNS_WILDCARD_GROUP'
+DNS_UNDERSCORE_GROUP = 'DNS_UNDERSCORE_GROUP'
 
 
 def get_settings_groups(group_setting_name):
@@ -134,9 +135,11 @@ def _deny_superuser_only_names(data=None, name=None, view=None, request=None):
             if 'host' in data:
                 name = data['host'].name
 
-    # Underscore is allowed for non-superuser in SRV records
+    # Underscore is allowed for non-superuser in SRV records,
+    # and for members of <DNS_UNDERSCORE_GROUP> in all records.
     if '_' in name and not isinstance(view, (mreg.api.v1.views.SrvDetail,
-                                             mreg.api.v1.views.SrvList)):
+                                             mreg.api.v1.views.SrvList)) \
+                   and not request_in_settings_group(request, DNS_UNDERSCORE_GROUP):
         return True
 
     # Except for super-users, only members of the DNS wildcard group can create wildcard records.

diff --git a/mreg/api/v1/tests/test_host_permissions.py b/mreg/api/v1/tests/test_host_permissions.py
@@ -282,9 +282,24 @@ def test_can_not_add_txt_to_host_without_ip(self):
 
 
 class Underscore(MregAPITestCase):
-    """Test that only superusers can create entries with an underscore."""
 
+    """Test that superusers can create entries with an underscore, but regular users can't."""
     def test_can_create_hostname_with_prefix_underscore(self):
+        data1 = {'name': '_host1.example.org', 'ipaddress': '10.0.0.1'}
+        data2 = {'name': 'host2._sub.example.org', 'ipaddress': '10.0.0.2'}
+        superuser_client = self.client
+        self.client = self.get_token_client(superuser=False)
+        self.assert_post_and_403('/hosts/', data1)
+        self.assert_post_and_403('/hosts/', data2)
+        self.client = superuser_client
+        self.assert_post('/hosts/', data1)
+        self.assert_post('/hosts/', data2)
+
+    """Members in DNS_UNDERSCORE_GROUP can create entries with an underscore."""
+    def test_special_group_members_create_underscore(self):
+        self.client = self.get_token_client(superuser=False, adminuser=True)
+        self.add_user_to_groups('DNS_UNDERSCORE_GROUP')
+        path = '/api/v1/hosts/'
         data1 = {'name': '_host1.example.org', 'ipaddress': '10.0.0.1'}
         data2 = {'name': 'host2._sub.example.org', 'ipaddress': '10.0.0.2'}
         self.assert_post('/hosts/', data1)

diff --git a/mregsite/settings.py b/mregsite/settings.py
@@ -329,3 +329,4 @@
     NETWORK_ADMIN_GROUP = "default-networkadmin-group"
     HOSTPOLICYADMIN_GROUP = "default-hostpolicyadmin-group"
     DNS_WILDCARD_GROUP = "default-dns-wildcard-group"
+    DNS_UNDERSCORE_GROUP = "default-dns-underscore-group"