test coverage for Authenticator.managed_groups

- tests - docs - ensure all group APIs are rejected when auth is in control - use 'groups' field in return value of authenticate/refresh_user, instead of defining new method - log group changes in sync_groups
2025-10-17 15:03:02 +00:00 · 2022-01-20 14:44:47 +01:00
parent 144abcb965
commit 88be7a9967
9 changed files with 226 additions and 39 deletions
--- a/jupyterhub/apihandlers/groups.py
+++ b/jupyterhub/apihandlers/groups.py
@@ -33,6 +33,11 @@ class _GroupAPIHandler(APIHandler):
            raise web.HTTPError(404, "No such group: %s", group_name)
        return group

+    def check_authenticator_managed_groups(self):
+        """Raise error on group-management APIs if Authenticator is managing groups"""
+        if self.authenticator.manage_groups:
+            raise web.HTTPError(400, "Group management via API is disabled")
+

 class GroupListAPIHandler(_GroupAPIHandler):
    @needs_scope('list:groups')
@@ -69,8 +74,7 @@ class GroupListAPIHandler(_GroupAPIHandler):
    async def post(self):
        """POST creates Multiple groups"""

-        if self.authenticator.manage_groups:
-            raise web.HTTPError(400, "Group management via API is disabled")
+        self.check_authenticator_managed_groups()

        model = self.get_json_body()
        if not model or not isinstance(model, dict) or not model.get('groups'):
@@ -110,6 +114,7 @@ class GroupAPIHandler(_GroupAPIHandler):
    @needs_scope('admin:groups')
    async def post(self, group_name):
        """POST creates a group by name"""
+        self.check_authenticator_managed_groups()
        model = self.get_json_body()
        if model is None:
            model = {}
@@ -136,6 +141,7 @@ class GroupAPIHandler(_GroupAPIHandler):
    @needs_scope('delete:groups')
    def delete(self, group_name):
        """Delete a group by name"""
+        self.check_authenticator_managed_groups()
        group = self.find_group(group_name)
        self.log.info("Deleting group %s", group_name)
        self.db.delete(group)
@@ -149,6 +155,7 @@ class GroupUsersAPIHandler(_GroupAPIHandler):
    @needs_scope('groups')
    def post(self, group_name):
        """POST adds users to a group"""
+        self.check_authenticator_managed_groups()
        group = self.find_group(group_name)
        data = self.get_json_body()
        self._check_group_model(data)
@@ -167,6 +174,7 @@ class GroupUsersAPIHandler(_GroupAPIHandler):
    @needs_scope('groups')
    async def delete(self, group_name):
        """DELETE removes users from a group"""
+        self.check_authenticator_managed_groups()
        group = self.find_group(group_name)
        data = self.get_json_body()
        self._check_group_model(data)