Merge pull request #2538 from wwitzel3/issue-2349

Credential bug fixes for access and uniqueness
2026-01-16 04:10:44 -03:30 · 2016-06-21 16:40:14 -04:00 · 2016-06-21 16:40:14 -04:00 · 06c74ced76
commit 06c74ced76
parent d97b5bfa11 52b16620cd
5 changed files with 69 additions and 2 deletions
--- a/awx/main/migrations/0026_v300_credential_unique.py
+++ b/awx/main/migrations/0026_v300_credential_unique.py
@ -0,0 +1,25 @@
+# -*- coding: utf-8 -*-
+from __future__ import unicode_literals
+
+from awx.main.migrations import _rbac as rbac
+from django.db import migrations
+import awx.main.fields
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('main', '0025_v300_update_rbac_parents'),
+    ]
+
+    operations = [
+        migrations.AlterUniqueTogether(
+            name='credential',
+            unique_together=set([('organization', 'name', 'kind')]),
+        ),
+        migrations.AlterField(
+            model_name='credential',
+            name='read_role',
+            field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'singleton:system_auditor', b'use_role', b'owner_role', b'organization.auditor_role'], to='main.Role', null=b'True'),
+        ),
+        migrations.RunPython(rbac.rebuild_role_hierarchy),
+    ]
--- a/awx/main/migrations/_rbac.py
+++ b/awx/main/migrations/_rbac.py
@ -162,9 +162,10 @@ def _discover_credentials(instances, cred, orgfunc):
            else:
                # Create a new credential
                cred.pk = None
+                cred.organization = None
                cred.save()

-                cred.owner_role, cred.use_role, cred.organization = None, None, None
+                cred.owner_role, cred.use_role = None, None

                for i in orgs[org]:
                    i.credential = cred
--- a/awx/main/models/credential.py
+++ b/awx/main/models/credential.py
@ -61,6 +61,7 @@ class Credential(PasswordFieldsModel, CommonModelNameNotUnique, ResourceMixin):
    class Meta:
        app_label = 'main'
        ordering = ('kind', 'name')
+        unique_together = (('organization', 'name', 'kind'),)

    deprecated_user = models.ForeignKey(
        'auth.User',
@ -224,8 +225,9 @@ class Credential(PasswordFieldsModel, CommonModelNameNotUnique, ResourceMixin):
    )
    read_role = ImplicitRoleField(parent_role=[
        'singleton:' + ROLE_SINGLETON_SYSTEM_AUDITOR,
+        'organization.auditor_role',
        'use_role',
-        'owner_role'
+        'owner_role',
    ])

    @property
--- a/awx/main/tests/functional/test_db_credential.py
+++ b/awx/main/tests/functional/test_db_credential.py
@ -0,0 +1,15 @@
+import pytest
+
+from django.db import IntegrityError
+from awx.main.models import Credential
+
+@pytest.mark.django_db
+def test_cred_unique_org_name_kind(organization_factory):
+    objects = organization_factory("test")
+
+    cred = Credential(name="test", kind="net", organization=objects.organization)
+    cred.save()
+
+    with pytest.raises(IntegrityError):
+        cred = Credential(name="test", kind="net", organization=objects.organization)
+        cred.save()
--- a/awx/main/tests/functional/test_rbac_credential.py
+++ b/awx/main/tests/functional/test_rbac_credential.py
@ -18,6 +18,19 @@ def test_credential_migration_user(credential, user, permissions):

    assert u in credential.owner_role

+@pytest.mark.django_db
+def test_two_teams_same_cred_name(organization_factory):
+    objects = organization_factory("test",
+                                   teams=["team1", "team2"])
+
+    cred1 = Credential.objects.create(name="test", kind="net", deprecated_team=objects.teams.team1)
+    cred2 = Credential.objects.create(name="test", kind="net", deprecated_team=objects.teams.team2)
+
+    rbac.migrate_credential(apps, None)
+
+    assert objects.teams.team1.member_role in cred1.owner_role.parents.all()
+    assert objects.teams.team2.member_role in cred2.owner_role.parents.all()
+
@pytest.mark.django_db
 def test_credential_use_role(credential, user, permissions):
    u = user('user', False)
@ -64,6 +77,17 @@ def test_credential_access_superuser():
    assert access.can_change(credential, None)
    assert access.can_delete(credential)

+@pytest.mark.django_db
+def test_credential_access_auditor(credential, organization_factory):
+    objects = organization_factory("org_cred_auditor",
+                                   users=["user1"],
+                                   roles=['org_cred_auditor.auditor_role:user1'])
+    credential.organization = objects.organization
+    credential.save()
+
+    access = CredentialAccess(objects.users.user1)
+    assert access.can_read(credential)
+
@pytest.mark.django_db
 def test_credential_access_admin(user, team, credential):
    u = user('org-admin', False)