Merge branch 'devel' into can_CRUD

awx/main/tests/functional/api/test_credential.py

@@ -71,7 +71,6 @@ def test_create_user_credential_via_user_credentials_list_xfail(post, alice, bob
 def test_create_team_credential(post, get, team, organization, org_admin, team_member):
     response = post(reverse('api:credential_list'), {
         'team': team.id,
-        'organization': organization.id,
         'name': 'Some name',
         'username': 'someusername'
     }, org_admin)
@@ -81,6 +80,9 @@ def test_create_team_credential(post, get, team, organization, org_admin, team_m
     assert response.status_code == 200
     assert response.data['count'] == 1
 
+    # Assure that credential's organization is implictly set to team's org
+    assert response.data['results'][0]['summary_fields']['organization']['id'] == team.organization.id
+
 @pytest.mark.django_db
 def test_create_team_credential_via_team_credentials_list(post, get, team, org_admin, team_member):
     response = post(reverse('api:team_credentials_list', args=(team.pk,)), {

awx/main/tests/functional/test_rbac_credential.py

@@ -54,21 +54,40 @@ def test_credential_migration_team_member(credential, team, user, permissions):
 
     rbac.migrate_credential(apps, None)
 
-    # Admin permissions post migration
+    # User permissions post migration
     assert u in credential.use_role
+    assert u not in credential.admin_role
 
 @pytest.mark.django_db
 def test_credential_migration_team_admin(credential, team, user, permissions):
     u = user('user', False)
-    team.member_role.members.add(u)
+    team.admin_role.members.add(u)
     credential.deprecated_team = team
     credential.save()
 
     assert u not in credential.use_role
 
-    # Usage permissions post migration
+    # Admin permissions post migration
     rbac.migrate_credential(apps, None)
-    assert u in credential.use_role
+    assert u in credential.admin_role
+
+@pytest.mark.django_db
+def test_credential_migration_org_auditor(credential, team, org_auditor):
+    # Team's organization is the org_auditor's org
+    credential.deprecated_team = team
+    credential.save()
+
+    # No permissions pre-migration (this happens automatically so we patch this)
+    team.admin_role.children.remove(credential.admin_role)
+    team.member_role.children.remove(credential.use_role)
+    assert org_auditor not in credential.read_role
+
+    rbac.migrate_credential(apps, None)
+    rbac.infer_credential_org_from_team(apps, None)
+
+    # Read permissions post migration
+    assert org_auditor not in credential.use_role
+    assert org_auditor in credential.read_role
 
 def test_credential_access_superuser():
     u = User(username='admin', is_superuser=True)

awx/main/tests/old/users.py

@@ -192,8 +192,12 @@ class UsersTest(BaseTest):
         self.post(url, expect=403, data=new_user, auth=self.get_other_credentials())
         self.post(url, expect=201, data=new_user, auth=self.get_super_credentials())
         self.post(url, expect=400, data=new_user, auth=self.get_super_credentials())
-        self.post(url, expect=201, data=new_user2, auth=self.get_normal_credentials())
-        self.post(url, expect=400, data=new_user2, auth=self.get_normal_credentials())
+        # org admin cannot create orphaned users
+        self.post(url, expect=403, data=new_user2, auth=self.get_normal_credentials())
+        # org admin can create org users
+        org_url = reverse('api:organization_users_list', args=(self.organizations[0].pk,))
+        self.post(org_url, expect=201, data=new_user2, auth=self.get_normal_credentials())
+        self.post(org_url, expect=400, data=new_user2, auth=self.get_normal_credentials())
         # Normal user cannot add users after his org is marked inactive.
         self.organizations[0].delete()
         new_user3 = dict(username='blippy3')
@@ -325,9 +329,9 @@ class UsersTest(BaseTest):
         detail_url = reverse('api:user_detail', args=(self.other_django_user.pk,))
         data = self.get(detail_url, expect=200, auth=self.get_other_credentials())
 
-        # can't change first_name, last_name, etc
+        # can change first_name, last_name, etc
         data['last_name'] = "NewLastName"
-        self.put(detail_url, data, expect=403, auth=self.get_other_credentials())
+        self.put(detail_url, data, expect=200, auth=self.get_other_credentials())
 
         # can't change username
         data['username'] = 'newUsername'
@@ -367,23 +371,20 @@ class UsersTest(BaseTest):
         url = reverse('api:user_list')
         data  = dict(username='username',  password='password')
         data2 = dict(username='username2', password='password2')
-        data = self.post(url, expect=201, data=data, auth=self.get_normal_credentials())
 
+        # but a regular user cannot create users
+        self.post(url, expect=403, data=data2, auth=self.get_other_credentials())
+        # org admins cannot create orphaned users
+        self.post(url, expect=403, data=data2, auth=self.get_normal_credentials())
+
+        # a super user can create new users
+        self.post(url, expect=201, data=data, auth=self.get_super_credentials())
         # verify that the login works...
         self.get(url, expect=200, auth=('username', 'password'))
 
-        # but a regular user cannot
-        data = self.post(url, expect=403, data=data2, auth=self.get_other_credentials())
-
-        # a super user can also create new users
-        data = self.post(url, expect=201, data=data2, auth=self.get_super_credentials())
-
-        # verify that the login works
-        self.get(url, expect=200, auth=('username2', 'password2'))
-
         # verify that if you post a user with a pk, you do not alter that user's password info
         mod = dict(id=self.super_django_user.pk, username='change', password='change')
-        data = self.post(url, expect=201, data=mod, auth=self.get_super_credentials())
+        self.post(url, expect=201, data=mod, auth=self.get_super_credentials())
         orig = User.objects.get(pk=self.super_django_user.pk)
         self.assertTrue(orig.username != 'change')
 

awx/main/tests/unit/api/test_roles.py

@@ -19,7 +19,6 @@ from awx.main.models import (
     Role,
 )
 
-@pytest.mark.skip(reason="Seeing pk error, suspect weirdness in mocking requests")
 @pytest.mark.parametrize("pk, err", [
     (111, "not change the membership"),
     (1, "may not perform"),
@@ -38,18 +37,17 @@ def test_user_roles_list_user_admin_role(pk, err):
             factory = APIRequestFactory()
             view = UserRolesList.as_view()
 
-            user = User(username="root", is_superuser=True)
+            user = User(username="root", is_superuser=True, pk=1, id=1)
 
             request = factory.post("/user/1/roles", {'id':pk}, format="json")
             force_authenticate(request, user)
 
-            response = view(request)
+            response = view(request, pk=user.pk)
             response.render()
 
             assert response.status_code == 403
             assert err in response.content
 
-@pytest.mark.skip(reason="db access or mocking needed for new tests in role assignment code")
 @pytest.mark.parametrize("admin_role, err", [
     (True, "may not perform"),
     (False, "not change the membership"),
@@ -70,10 +68,13 @@ def test_role_users_list_other_user_admin_role(admin_role, err):
             view = RoleUsersList.as_view()
 
             user = User(username="root", is_superuser=True, pk=1, id=1)
+            queried_user = User(username="maynard")
+
             request = factory.post("/role/1/users", {'id':1}, format="json")
             force_authenticate(request, user)
 
-            response = view(request)
+            with mock.patch('awx.api.views.get_object_or_400', return_value=queried_user):
+                response = view(request)
             response.render()
 
             assert response.status_code == 403