diff --git a/awx/main/models/__init__.py b/awx/main/models/__init__.py index 2f4d02a7b9..c4623571ac 100644 --- a/awx/main/models/__init__.py +++ b/awx/main/models/__init__.py @@ -112,7 +112,6 @@ activity_stream_registrar.connect(Credential) activity_stream_registrar.connect(Team) activity_stream_registrar.connect(Project) #activity_stream_registrar.connect(ProjectUpdate) -activity_stream_registrar.connect(Permission) activity_stream_registrar.connect(JobTemplate) activity_stream_registrar.connect(Job) activity_stream_registrar.connect(AdHocCommand) diff --git a/awx/main/models/activity_stream.py b/awx/main/models/activity_stream.py index d0ca5d97b8..ddbdae1227 100644 --- a/awx/main/models/activity_stream.py +++ b/awx/main/models/activity_stream.py @@ -48,7 +48,6 @@ class ActivityStream(models.Model): team = models.ManyToManyField("Team", blank=True) project = models.ManyToManyField("Project", blank=True) project_update = models.ManyToManyField("ProjectUpdate", blank=True) - permission = models.ManyToManyField("Permission", blank=True) job_template = models.ManyToManyField("JobTemplate", blank=True) job = models.ManyToManyField("Job", blank=True) workflow_job_template_node = models.ManyToManyField("WorkflowJobTemplateNode", blank=True) diff --git a/awx/main/models/credential.py b/awx/main/models/credential.py index 929b80883c..32a0da5abe 100644 --- a/awx/main/models/credential.py +++ b/awx/main/models/credential.py @@ -215,22 +215,6 @@ class Credential(PasswordFieldsModel, CommonModelNameNotUnique, ResourceMixin): PASSWORD_FIELDS = ['inputs'] - deprecated_user = models.ForeignKey( - 'auth.User', - null=True, - default=None, - blank=True, - on_delete=models.CASCADE, - related_name='deprecated_credentials', - ) - deprecated_team = models.ForeignKey( - 'Team', - null=True, - default=None, - blank=True, - on_delete=models.CASCADE, - related_name='deprecated_credentials', - ) credential_type = models.ForeignKey( 'CredentialType', related_name='credentials', @@ -391,10 +375,6 @@ class Credential(PasswordFieldsModel, CommonModelNameNotUnique, ResourceMixin): 'SSH key is not encrypted.')) return self.ssh_key_unlock - def clean(self): - if self.deprecated_user and self.deprecated_team: - raise ValidationError(_('Credential cannot be assigned to both a user and team.')) - def _password_field_allows_ask(self, field): return field in self.credential_type.askable_fields @@ -402,26 +382,6 @@ class Credential(PasswordFieldsModel, CommonModelNameNotUnique, ResourceMixin): inputs_before = {} # If update_fields has been specified, add our field names to it, # if hit hasn't been specified, then we're just doing a normal save. - update_fields = kwargs.get('update_fields', []) - # If updating a credential, make sure that we only allow user OR team - # to be set, and clear out the other field based on which one has - # changed. - if self.pk: - cred_before = Credential.objects.get(pk=self.pk) - if self.deprecated_user and self.deprecated_team: - # If the user changed, remove the previously assigned team. - if cred_before.user != self.user: - self.deprecated_team = None - if 'deprecated_team' not in update_fields: - update_fields.append('deprecated_team') - # If the team changed, remove the previously assigned user. - elif cred_before.deprecated_team != self.deprecated_team: - self.deprecated_user = None - if 'deprecated_user' not in update_fields: - update_fields.append('deprecated_user') - - inputs_before = cred_before.inputs - self.PASSWORD_FIELDS = self.credential_type.secret_fields if self.pk: diff --git a/awx/main/models/organization.py b/awx/main/models/organization.py index f0b59a6fb3..eccfdfba42 100644 --- a/awx/main/models/organization.py +++ b/awx/main/models/organization.py @@ -24,7 +24,7 @@ from awx.main.models.rbac import ( ) from awx.main.models.mixins import ResourceMixin -__all__ = ['Organization', 'Team', 'Permission', 'Profile', 'AuthToken'] +__all__ = ['Organization', 'Team', 'Profile', 'AuthToken'] class Organization(CommonModel, NotificationFieldsModel, ResourceMixin): @@ -36,21 +36,6 @@ class Organization(CommonModel, NotificationFieldsModel, ResourceMixin): app_label = 'main' ordering = ('name',) - deprecated_users = models.ManyToManyField( - 'auth.User', - blank=True, - related_name='deprecated_organizations', - ) - deprecated_admins = models.ManyToManyField( - 'auth.User', - blank=True, - related_name='deprecated_admin_of_organizations', - ) - deprecated_projects = models.ManyToManyField( - 'Project', - blank=True, - related_name='deprecated_organizations', - ) admin_role = ImplicitRoleField( parent_role='singleton:' + ROLE_SINGLETON_SYSTEM_ADMINISTRATOR, ) @@ -82,11 +67,6 @@ class Team(CommonModelNameNotUnique, ResourceMixin): unique_together = [('organization', 'name')] ordering = ('organization__name', 'name') - deprecated_users = models.ManyToManyField( - 'auth.User', - blank=True, - related_name='deprecated_teams', - ) organization = models.ForeignKey( 'Organization', blank=False, @@ -94,11 +74,6 @@ class Team(CommonModelNameNotUnique, ResourceMixin): on_delete=models.CASCADE, related_name='teams', ) - deprecated_projects = models.ManyToManyField( - 'Project', - blank=True, - related_name='deprecated_teams', - ) admin_role = ImplicitRoleField( parent_role='organization.admin_role', ) @@ -113,64 +88,6 @@ class Team(CommonModelNameNotUnique, ResourceMixin): return reverse('api:team_detail', kwargs={'pk': self.pk}, request=request) -class Permission(CommonModelNameNotUnique): - ''' - A permission allows a user, project, or team to be able to use an inventory source. - - NOTE: This class is deprecated, permissions and access is to be handled by - our new RBAC system. This class should be able to be safely removed after a 3.0.0 - migration. - anoek 2016-01-28 - ''' - - class Meta: - app_label = 'main' - - # permissions are granted to either a user or a team: - user = models.ForeignKey('auth.User', null=True, on_delete=models.SET_NULL, blank=True, related_name='permissions') - team = models.ForeignKey('Team', null=True, on_delete=models.SET_NULL, blank=True, related_name='permissions') - - # to be used against a project or inventory (or a project and inventory in conjunction): - project = models.ForeignKey( - 'Project', - blank=True, - null=True, - on_delete=models.SET_NULL, - related_name='permissions', - ) - inventory = models.ForeignKey('Inventory', null=True, on_delete=models.SET_NULL, related_name='permissions') - - # permission system explanation: - # - # for example, user A on inventory X has write permissions (PERM_INVENTORY_WRITE) - # team C on inventory X has read permissions (PERM_INVENTORY_READ) - # user A can create job templates (PERM_JOBTEMPLATE_CREATE) - # team C on inventory X and project Y has launch permissions (PERM_INVENTORY_DEPLOY) - # team C on inventory X and project Z has dry run permissions (PERM_INVENTORY_CHECK) - # - # basically for launching, permissions can be awarded to the whole inventory source or just the inventory source - # in context of a given project. - # - # the project parameter is not used when dealing with READ, WRITE, or ADMIN permissions. - - permission_type = models.CharField(max_length=64, choices=PERMISSION_TYPE_CHOICES) - run_ad_hoc_commands = models.BooleanField(default=False, - help_text=_('Execute Commands on the Inventory')) - - def __unicode__(self): - return unicode("Permission(name=%s,ON(user=%s,team=%s),FOR(project=%s,inventory=%s,type=%s%s))" % ( - self.name, - self.user, - self.team, - self.project, - self.inventory, - self.permission_type, - '+adhoc' if self.run_ad_hoc_commands else '', - )) - - def get_absolute_url(self, request=None): - return reverse('api:permission_detail', kwargs={'pk': self.pk}, request=request) - - class Profile(CreatedModifiedModel): ''' Profile model related to User object. Currently stores LDAP DN for users diff --git a/awx/main/tests/functional/conftest.py b/awx/main/tests/functional/conftest.py index 3e7248f4eb..1d976ca492 100644 --- a/awx/main/tests/functional/conftest.py +++ b/awx/main/tests/functional/conftest.py @@ -19,7 +19,6 @@ from jsonbfield.fields import JSONField # AWX from awx.main.models.projects import Project -from awx.main.models.base import PERM_INVENTORY_READ from awx.main.models.ha import Instance from awx.main.models.fact import Fact @@ -38,7 +37,6 @@ from awx.main.models.inventory import ( ) from awx.main.models.organization import ( Organization, - Permission, Team, ) from awx.main.models.rbac import Role @@ -528,11 +526,6 @@ def fact_services_json(): return _fact_json('services') -@pytest.fixture -def permission_inv_read(organization, inventory, team): - return Permission.objects.create(inventory=inventory, team=team, permission_type=PERM_INVENTORY_READ) - - @pytest.fixture def job_template(organization): jt = JobTemplate(name='test-job_template') diff --git a/awx/main/tests/functional/test_inventory_source_migration.py b/awx/main/tests/functional/test_inventory_source_migration.py index cfbfdbaff6..015706cdf8 100644 --- a/awx/main/tests/functional/test_inventory_source_migration.py +++ b/awx/main/tests/functional/test_inventory_source_migration.py @@ -25,21 +25,3 @@ def test_inv_src_rename(inventory_source_factory): inv_src01.refresh_from_db() # inv-is-t1 is generated in the inventory_source_factory assert inv_src01.name == 't1 - inv-is-t1 - 0' - - -@pytest.mark.django_db -def test_inv_src_nolink_removal(inventory_source_factory): - inventory_source_factory('t1') - inv_src02 = inventory_source_factory('t2') - - inv_src02.inventory = None - inv_src02.deprecated_group = None - inv_src02.save() - - assert InventorySource.objects.count() == 2 - - invsrc.remove_inventory_source_with_no_inventory_link(apps, None) - - objs = InventorySource.objects.all() - assert len(objs) == 1 - assert 't1' in objs[0].name diff --git a/awx/main/tests/functional/test_rbac_credential.py b/awx/main/tests/functional/test_rbac_credential.py index c7e2224684..b02b30755a 100644 --- a/awx/main/tests/functional/test_rbac_credential.py +++ b/awx/main/tests/functional/test_rbac_credential.py @@ -2,40 +2,9 @@ import pytest from awx.main.access import CredentialAccess from awx.main.models.credential import Credential -from awx.main.models.jobs import JobTemplate -from awx.main.models.inventory import InventorySource -from awx.main.migrations import _rbac as rbac -from django.apps import apps from django.contrib.auth.models import User -@pytest.mark.django_db -def test_credential_migration_user(credential, user, permissions): - u = user('user', False) - credential.deprecated_user = u - credential.save() - - rbac.migrate_credential(apps, None) - - assert u in credential.admin_role - - -@pytest.mark.django_db -def test_two_teams_same_cred_name(organization_factory, credentialtype_net): - objects = organization_factory("test", - teams=["team1", "team2"]) - - cred1 = Credential.objects.create(name="test", credential_type=credentialtype_net, deprecated_team=objects.teams.team1) - cred2 = Credential.objects.create(name="test", credential_type=credentialtype_net, deprecated_team=objects.teams.team2) - - rbac.migrate_credential(apps, None) - - assert objects.teams.team1.admin_role in cred1.admin_role.parents.all() - assert objects.teams.team2.admin_role in cred2.admin_role.parents.all() - assert objects.teams.team1.member_role in cred1.use_role.parents.all() - assert objects.teams.team2.member_role in cred2.use_role.parents.all() - - @pytest.mark.django_db def test_credential_use_role(credential, user, permissions): u = user('user', False) @@ -43,59 +12,6 @@ def test_credential_use_role(credential, user, permissions): assert u in credential.use_role -@pytest.mark.django_db -def test_credential_migration_team_member(credential, team, user, permissions): - u = user('user', False) - team.member_role.members.add(u) - credential.deprecated_team = team - credential.save() - - - # No permissions pre-migration (this happens automatically so we patch this) - team.admin_role.children.remove(credential.admin_role) - team.member_role.children.remove(credential.use_role) - assert u not in credential.admin_role - - rbac.migrate_credential(apps, None) - - # User permissions post migration - assert u in credential.use_role - assert u not in credential.admin_role - - -@pytest.mark.django_db -def test_credential_migration_team_admin(credential, team, user, permissions): - u = user('user', False) - team.admin_role.members.add(u) - credential.deprecated_team = team - credential.save() - - assert u not in credential.use_role - - # Admin permissions post migration - rbac.migrate_credential(apps, None) - assert u in credential.admin_role - - -@pytest.mark.django_db -def test_credential_migration_org_auditor(credential, team, org_auditor): - # Team's organization is the org_auditor's org - credential.deprecated_team = team - credential.save() - - # No permissions pre-migration (this happens automatically so we patch this) - team.admin_role.children.remove(credential.admin_role) - team.member_role.children.remove(credential.use_role) - assert org_auditor not in credential.read_role - - rbac.migrate_credential(apps, None) - rbac.infer_credential_org_from_team(apps, None) - - # Read permissions post migration - assert org_auditor not in credential.use_role - assert org_auditor in credential.read_role - - def test_credential_access_superuser(): u = User(username='admin', is_superuser=True) access = CredentialAccess(u) @@ -118,33 +34,6 @@ def test_credential_access_auditor(credential, organization_factory): assert access.can_read(credential) -@pytest.mark.django_db -def test_credential_access_admin(user, team, credential, credentialtype_aws): - u = user('org-admin', False) - team.organization.admin_role.members.add(u) - - access = CredentialAccess(u) - - assert access.can_add({'user': u.pk}) - assert not access.can_change(credential, {'user': u.pk}) - - # unowned credential is superuser only - assert not access.can_delete(credential) - - # credential is now part of a team - # that is part of an organization - # that I am an admin for - credential.admin_role.parents.add(team.admin_role) - credential.save() - - cred = Credential.objects.create(credential_type=credentialtype_aws, name='test-cred') - cred.deprecated_team = team - cred.save() - - # should have can_change access as org-admin - assert access.can_change(credential, {'description': 'New description.'}) - - @pytest.mark.django_db def test_org_credential_access_member(alice, org_credential, credential): org_credential.admin_role.members.add(alice) @@ -163,156 +52,8 @@ def test_org_credential_access_member(alice, org_credential, credential): 'organization': None}) -@pytest.mark.django_db -def test_cred_job_template_xfail(user, deploy_jobtemplate): - ' Personal credential migration ' - a = user('admin', False) - org = deploy_jobtemplate.project.organization - org.admin_role.members.add(a) - - cred = deploy_jobtemplate.credential - cred.deprecated_user = user('john', False) - cred.save() - - access = CredentialAccess(a) - rbac.migrate_credential(apps, None) - assert not access.can_change(cred, {'organization': org.pk}) - - -@pytest.mark.django_db -def test_cred_job_template(user, team, deploy_jobtemplate): - ' Team credential migration => org credential ' - a = user('admin', False) - org = deploy_jobtemplate.project.organization - org.admin_role.members.add(a) - - cred = deploy_jobtemplate.credential - cred.deprecated_team = team - cred.save() - - access = CredentialAccess(a) - rbac.migrate_credential(apps, None) - - cred.refresh_from_db() - - assert access.can_change(cred, {'organization': org.pk}) - - org.admin_role.members.remove(a) - assert not access.can_change(cred, {'organization': org.pk}) - - -@pytest.mark.django_db -def test_cred_multi_job_template_single_org_xfail(user, deploy_jobtemplate): - a = user('admin', False) - org = deploy_jobtemplate.project.organization - org.admin_role.members.add(a) - - cred = deploy_jobtemplate.credential - cred.deprecated_user = user('john', False) - cred.save() - - access = CredentialAccess(a) - rbac.migrate_credential(apps, None) - cred.refresh_from_db() - - assert not access.can_change(cred, {'organization': org.pk}) - - -@pytest.mark.django_db -def test_cred_multi_job_template_single_org(user, team, deploy_jobtemplate): - a = user('admin', False) - org = deploy_jobtemplate.project.organization - org.admin_role.members.add(a) - - cred = deploy_jobtemplate.credential - cred.deprecated_team = team - cred.save() - - access = CredentialAccess(a) - rbac.migrate_credential(apps, None) - cred.refresh_from_db() - - assert access.can_change(cred, {'organization': org.pk}) - - org.admin_role.members.remove(a) - assert not access.can_change(cred, {'organization': org.pk}) - - -@pytest.mark.django_db -def test_single_cred_multi_job_template_multi_org(user, organizations, credential, team): - orgs = organizations(2) - credential.deprecated_team = team - credential.save() - - jts = [] - for org in orgs: - inv = org.inventories.create(name="inv-%d" % org.pk) - jt = JobTemplate.objects.create( - inventory=inv, - credential=credential, - name="test-jt-org-%d" % org.pk, - job_type='check', - ) - jts.append(jt) - - a = user('admin', False) - orgs[0].admin_role.members.add(a) - orgs[1].admin_role.members.add(a) - - rbac.migrate_credential(apps, None) - - for jt in jts: - jt.refresh_from_db() - credential.refresh_from_db() - - assert jts[0].credential != jts[1].credential - - -@pytest.mark.django_db -def test_cred_inventory_source(user, inventory, credential): - u = user('member', False) - inventory.organization.member_role.members.add(u) - - InventorySource.objects.create( - name="test-inv-src", - credential=credential, - inventory=inventory, - ) - - assert u not in credential.use_role - - rbac.migrate_credential(apps, None) - assert u not in credential.use_role - - -@pytest.mark.django_db -def test_cred_project(user, credential, project): - u = user('member', False) - project.organization.member_role.members.add(u) - project.credential = credential - project.save() - - assert u not in credential.use_role - - rbac.migrate_credential(apps, None) - assert u not in credential.use_role - - @pytest.mark.django_db def test_cred_no_org(user, credential): su = user('su', True) access = CredentialAccess(su) assert access.can_change(credential, {'user': su.pk}) - - -@pytest.mark.django_db -def test_cred_team(user, team, credential): - u = user('a', False) - team.member_role.members.add(u) - credential.deprecated_team = team - credential.save() - - assert u not in credential.use_role - - rbac.migrate_credential(apps, None) - assert u in credential.use_role diff --git a/awx/main/tests/functional/test_rbac_inventory.py b/awx/main/tests/functional/test_rbac_inventory.py index 10390e3b07..7b85e1d44a 100644 --- a/awx/main/tests/functional/test_rbac_inventory.py +++ b/awx/main/tests/functional/test_rbac_inventory.py @@ -1,8 +1,6 @@ import pytest -from awx.main.migrations import _rbac as rbac from awx.main.models import ( - Permission, Host, CustomInventoryScript, Schedule @@ -15,7 +13,6 @@ from awx.main.access import ( CustomInventoryScriptAccess, ScheduleAccess ) -from django.apps import apps @pytest.mark.django_db @@ -54,158 +51,6 @@ def test_org_member_inventory_script_permissions(org_member, organization): assert not access.can_change(custom_inv, {'name': 'ed-test'}) -@pytest.mark.django_db -def test_inventory_admin_user(inventory, permissions, user): - u = user('admin', False) - perm = Permission(user=u, inventory=inventory, permission_type='admin') - perm.save() - - assert u not in inventory.admin_role - - rbac.migrate_inventory(apps, None) - - assert u in inventory.admin_role - assert inventory.use_role.members.filter(id=u.id).exists() is False - assert inventory.update_role.members.filter(id=u.id).exists() is False - - -@pytest.mark.django_db -def test_inventory_auditor_user(inventory, permissions, user): - u = user('auditor', False) - perm = Permission(user=u, inventory=inventory, permission_type='read') - perm.save() - - assert u not in inventory.admin_role - assert u not in inventory.read_role - - rbac.migrate_inventory(apps, None) - - assert u not in inventory.admin_role - assert u in inventory.read_role - assert inventory.use_role.members.filter(id=u.id).exists() is False - assert inventory.update_role.members.filter(id=u.id).exists() is False - - -@pytest.mark.django_db -def test_inventory_updater_user(inventory, permissions, user): - u = user('updater', False) - perm = Permission(user=u, inventory=inventory, permission_type='write') - perm.save() - - assert u not in inventory.admin_role - assert u not in inventory.read_role - - rbac.migrate_inventory(apps, None) - - assert u not in inventory.admin_role - assert inventory.use_role.members.filter(id=u.id).exists() is False - assert inventory.update_role.members.filter(id=u.id).exists() - - -@pytest.mark.django_db -def test_inventory_executor_user(inventory, permissions, user): - u = user('executor', False) - perm = Permission(user=u, inventory=inventory, permission_type='read', run_ad_hoc_commands=True) - perm.save() - - assert u not in inventory.admin_role - assert u not in inventory.read_role - - rbac.migrate_inventory(apps, None) - - assert u not in inventory.admin_role - assert u in inventory.read_role - assert inventory.use_role.members.filter(id=u.id).exists() - assert inventory.update_role.members.filter(id=u.id).exists() is False - - -@pytest.mark.django_db -def test_inventory_admin_team(inventory, permissions, user, team): - u = user('admin', False) - perm = Permission(team=team, inventory=inventory, permission_type='admin') - perm.save() - team.deprecated_users.add(u) - - assert u not in inventory.admin_role - - rbac.migrate_team(apps, None) - rbac.migrate_inventory(apps, None) - - assert team.member_role.members.count() == 1 - assert inventory.admin_role.members.filter(id=u.id).exists() is False - assert inventory.read_role.members.filter(id=u.id).exists() is False - assert inventory.use_role.members.filter(id=u.id).exists() is False - assert inventory.update_role.members.filter(id=u.id).exists() is False - assert u in inventory.read_role - assert u in inventory.admin_role - - -@pytest.mark.django_db -def test_inventory_auditor(inventory, permissions, user, team): - u = user('auditor', False) - perm = Permission(team=team, inventory=inventory, permission_type='read') - perm.save() - team.deprecated_users.add(u) - - assert u not in inventory.admin_role - assert u not in inventory.read_role - - rbac.migrate_team(apps,None) - rbac.migrate_inventory(apps, None) - - assert team.member_role.members.count() == 1 - assert inventory.admin_role.members.filter(id=u.id).exists() is False - assert inventory.read_role.members.filter(id=u.id).exists() is False - assert inventory.use_role.members.filter(id=u.id).exists() is False - assert inventory.update_role.members.filter(id=u.id).exists() is False - assert u in inventory.read_role - assert u not in inventory.admin_role - - -@pytest.mark.django_db -def test_inventory_updater(inventory, permissions, user, team): - u = user('updater', False) - perm = Permission(team=team, inventory=inventory, permission_type='write') - perm.save() - team.deprecated_users.add(u) - - assert u not in inventory.admin_role - assert u not in inventory.read_role - - rbac.migrate_team(apps,None) - rbac.migrate_inventory(apps, None) - - assert team.member_role.members.count() == 1 - assert inventory.admin_role.members.filter(id=u.id).exists() is False - assert inventory.read_role.members.filter(id=u.id).exists() is False - assert inventory.use_role.members.filter(id=u.id).exists() is False - assert inventory.update_role.members.filter(id=u.id).exists() is False - assert team.member_role.is_ancestor_of(inventory.update_role) - assert team.member_role.is_ancestor_of(inventory.use_role) is False - - -@pytest.mark.django_db -def test_inventory_executor(inventory, permissions, user, team): - u = user('executor', False) - perm = Permission(team=team, inventory=inventory, permission_type='read', run_ad_hoc_commands=True) - perm.save() - team.deprecated_users.add(u) - - assert u not in inventory.admin_role - assert u not in inventory.read_role - - rbac.migrate_team(apps, None) - rbac.migrate_inventory(apps, None) - - assert team.member_role.members.count() == 1 - assert inventory.admin_role.members.filter(id=u.id).exists() is False - assert inventory.read_role.members.filter(id=u.id).exists() is False - assert inventory.use_role.members.filter(id=u.id).exists() is False - assert inventory.update_role.members.filter(id=u.id).exists() is False - assert team.member_role.is_ancestor_of(inventory.update_role) is False - assert team.member_role.is_ancestor_of(inventory.use_role) - - @pytest.mark.django_db def test_access_admin(organization, inventory, user): a = user('admin', False) diff --git a/awx/main/tests/functional/test_rbac_job_templates.py b/awx/main/tests/functional/test_rbac_job_templates.py index fff4bb0175..d0069e2d06 100644 --- a/awx/main/tests/functional/test_rbac_job_templates.py +++ b/awx/main/tests/functional/test_rbac_job_templates.py @@ -7,12 +7,8 @@ from awx.main.access import ( JobTemplateAccess, ScheduleAccess ) -from awx.main.migrations import _rbac as rbac -from awx.main.models import Permission from awx.main.models.jobs import JobTemplate from awx.main.models.schedules import Schedule -from django.apps import apps - @pytest.fixture @@ -23,142 +19,6 @@ def jt_objects(job_template_factory): return objects -@pytest.mark.django_db -def test_job_template_migration_check(credential, deploy_jobtemplate, check_jobtemplate, user): - admin = user('admin', is_superuser=True) - joe = user('joe') - - credential.deprecated_user = joe - credential.save() - - check_jobtemplate.project.organization.deprecated_users.add(joe) - - Permission(user=joe, inventory=check_jobtemplate.inventory, permission_type='read').save() - Permission(user=joe, inventory=check_jobtemplate.inventory, - project=check_jobtemplate.project, permission_type='check').save() - - - rbac.migrate_users(apps, None) - rbac.migrate_organization(apps, None) - rbac.migrate_projects(apps, None) - rbac.migrate_inventory(apps, None) - - assert joe in check_jobtemplate.project.read_role - assert admin in check_jobtemplate.execute_role - assert joe not in check_jobtemplate.execute_role - - rbac.migrate_job_templates(apps, None) - - assert admin in check_jobtemplate.execute_role - assert joe in check_jobtemplate.execute_role - assert admin in deploy_jobtemplate.execute_role - assert joe not in deploy_jobtemplate.execute_role - - -@pytest.mark.django_db -def test_job_template_migration_deploy(credential, deploy_jobtemplate, check_jobtemplate, user): - admin = user('admin', is_superuser=True) - joe = user('joe') - - credential.deprecated_user = joe - credential.save() - - deploy_jobtemplate.project.organization.deprecated_users.add(joe) - - Permission(user=joe, inventory=deploy_jobtemplate.inventory, permission_type='read').save() - Permission(user=joe, inventory=deploy_jobtemplate.inventory, - project=deploy_jobtemplate.project, permission_type='run').save() - - rbac.migrate_users(apps, None) - rbac.migrate_organization(apps, None) - rbac.migrate_projects(apps, None) - rbac.migrate_inventory(apps, None) - - assert joe in deploy_jobtemplate.project.read_role - assert admin in deploy_jobtemplate.execute_role - assert joe not in deploy_jobtemplate.execute_role - - rbac.migrate_job_templates(apps, None) - - assert admin in deploy_jobtemplate.execute_role - assert joe in deploy_jobtemplate.execute_role - assert admin in check_jobtemplate.execute_role - assert joe in check_jobtemplate.execute_role - - -@pytest.mark.django_db -def test_job_template_team_migration_check(credential, deploy_jobtemplate, check_jobtemplate, organization, team, user): - admin = user('admin', is_superuser=True) - joe = user('joe') - team.deprecated_users.add(joe) - team.organization = organization - team.save() - - credential.deprecated_team = team - credential.save() - - check_jobtemplate.project.organization.deprecated_users.add(joe) - - Permission(team=team, inventory=check_jobtemplate.inventory, permission_type='read').save() - Permission(team=team, inventory=check_jobtemplate.inventory, - project=check_jobtemplate.project, permission_type='check').save() - - rbac.migrate_users(apps, None) - rbac.migrate_team(apps, None) - rbac.migrate_organization(apps, None) - rbac.migrate_projects(apps, None) - rbac.migrate_inventory(apps, None) - - assert joe not in check_jobtemplate.read_role - assert admin in check_jobtemplate.execute_role - assert joe not in check_jobtemplate.execute_role - - rbac.migrate_job_templates(apps, None) - - assert admin in check_jobtemplate.execute_role - assert joe in check_jobtemplate.execute_role - - assert admin in deploy_jobtemplate.execute_role - assert joe not in deploy_jobtemplate.execute_role - - -@pytest.mark.django_db -def test_job_template_team_deploy_migration(credential, deploy_jobtemplate, check_jobtemplate, organization, team, user): - admin = user('admin', is_superuser=True) - joe = user('joe') - team.deprecated_users.add(joe) - team.organization = organization - team.save() - - credential.deprecated_team = team - credential.save() - - deploy_jobtemplate.project.organization.deprecated_users.add(joe) - - Permission(team=team, inventory=deploy_jobtemplate.inventory, permission_type='read').save() - Permission(team=team, inventory=deploy_jobtemplate.inventory, - project=deploy_jobtemplate.project, permission_type='run').save() - - rbac.migrate_users(apps, None) - rbac.migrate_team(apps, None) - rbac.migrate_organization(apps, None) - rbac.migrate_projects(apps, None) - rbac.migrate_inventory(apps, None) - - assert joe not in deploy_jobtemplate.read_role - assert admin in deploy_jobtemplate.execute_role - assert joe not in deploy_jobtemplate.execute_role - - rbac.migrate_job_templates(apps, None) - - assert joe in deploy_jobtemplate.read_role - assert admin in deploy_jobtemplate.execute_role - assert joe in deploy_jobtemplate.execute_role - - assert admin in check_jobtemplate.execute_role - assert joe in check_jobtemplate.execute_role - - @mock.patch.object(BaseAccess, 'check_license', return_value=None) @pytest.mark.django_db def test_job_template_access_superuser(check_license, user, deploy_jobtemplate): diff --git a/awx/main/tests/functional/test_rbac_organization.py b/awx/main/tests/functional/test_rbac_organization.py index 1ecf6c7f85..cdf8f446f0 100644 --- a/awx/main/tests/functional/test_rbac_organization.py +++ b/awx/main/tests/functional/test_rbac_organization.py @@ -1,54 +1,10 @@ import mock import pytest -from awx.main.migrations import _rbac as rbac from awx.main.access import ( BaseAccess, OrganizationAccess, ) -from django.apps import apps - - -@pytest.mark.django_db -def test_organization_migration_admin(organization, permissions, user): - u = user('admin', False) - organization.deprecated_admins.add(u) - - # Undo some automatic work that we're supposed to be testing with our migration - organization.admin_role.members.remove(u) - assert u not in organization.admin_role - - rbac.migrate_organization(apps, None) - - assert u in organization.admin_role - - -@pytest.mark.django_db -def test_organization_migration_user(organization, permissions, user): - u = user('user', False) - organization.deprecated_users.add(u) - - # Undo some automatic work that we're supposed to be testing with our migration - organization.member_role.members.remove(u) - assert u not in organization.read_role - - rbac.migrate_organization(apps, None) - - assert u in organization.read_role - - -@mock.patch.object(BaseAccess, 'check_license', return_value=None) -@pytest.mark.django_db -def test_organization_access_superuser(cl, organization, user): - access = OrganizationAccess(user('admin', True)) - organization.deprecated_users.add(user('user', False)) - - assert access.can_change(organization, None) - assert access.can_delete(organization) - - org = access.get_queryset()[0] - assert len(org.deprecated_admins.all()) == 0 - assert len(org.deprecated_users.all()) == 1 @mock.patch.object(BaseAccess, 'check_license', return_value=None) diff --git a/awx/main/tests/functional/test_rbac_project.py b/awx/main/tests/functional/test_rbac_project.py deleted file mode 100644 index 65fc0614bf..0000000000 --- a/awx/main/tests/functional/test_rbac_project.py +++ /dev/null @@ -1,235 +0,0 @@ -import pytest - -from awx.main.migrations import _rbac as rbac -from awx.main.models import Role, Permission, Project, Organization, Credential, JobTemplate, Inventory -from awx.main.access import ProjectAccess -from django.apps import apps -from awx.main.migrations import _old_access as old_access - - -@pytest.mark.django_db -def test_project_migration(credentialtype_ssh): - ''' - - o1 o2 o3 with o1 -- i1 o2 -- i2 - \ | / - \ | / - c1 ---- p1 - / | \ - / | \ - jt1 jt2 jt3 - | | | - i1 i2 i1 - - - goes to - - - o1 - | - | - c1 ---- p1 - / | - / | - jt1 jt3 - | | - i1 i1 - - - o2 - | - | - c1 ---- p2 - | - | - jt2 - | - i2 - - o3 - | - | - c1 ---- p3 - - - ''' - - - o1 = Organization.objects.create(name='o1') - o2 = Organization.objects.create(name='o2') - o3 = Organization.objects.create(name='o3') - - c1 = Credential.objects.create(name='c1', credential_type=credentialtype_ssh) - - project_name = unicode("\xc3\xb4", "utf-8") - p1 = Project.objects.create(name=project_name, credential=c1) - p1.deprecated_organizations.add(o1, o2, o3) - - i1 = Inventory.objects.create(name='i1', organization=o1) - i2 = Inventory.objects.create(name='i2', organization=o2) - - jt1 = JobTemplate.objects.create(name='jt1', project=p1, inventory=i1) - jt2 = JobTemplate.objects.create(name='jt2', project=p1, inventory=i2) - jt3 = JobTemplate.objects.create(name='jt3', project=p1, inventory=i1) - - assert o1.projects.count() == 0 - assert o2.projects.count() == 0 - assert o3.projects.count() == 0 - - rbac.migrate_projects(apps, None) - - jt1 = JobTemplate.objects.get(pk=jt1.pk) - jt2 = JobTemplate.objects.get(pk=jt2.pk) - jt3 = JobTemplate.objects.get(pk=jt3.pk) - - assert jt1.project == jt3.project - assert jt1.project != jt2.project - - assert o1.projects.count() == 1 - assert o2.projects.count() == 1 - assert o3.projects.count() == 1 - assert o1.projects.all()[0].jobtemplates.count() == 2 - assert o2.projects.all()[0].jobtemplates.count() == 1 - assert o3.projects.all()[0].jobtemplates.count() == 0 - - -@pytest.mark.django_db -def test_single_org_project_migration(organization): - project = Project.objects.create(name='my project', - description="description", - organization=None) - organization.deprecated_projects.add(project) - assert project.organization is None - rbac.migrate_projects(apps, None) - project = Project.objects.get(id=project.id) - assert project.organization.id == organization.id - - -@pytest.mark.django_db -def test_no_org_project_migration(organization): - project = Project.objects.create(name='my project', - description="description", - organization=None) - assert project.organization is None - rbac.migrate_projects(apps, None) - assert project.organization is None - - -@pytest.mark.django_db -def test_multi_org_project_migration(): - org1 = Organization.objects.create(name="org1", description="org1 desc") - org2 = Organization.objects.create(name="org2", description="org2 desc") - project = Project.objects.create(name='my project', - description="description", - organization=None) - - assert Project.objects.all().count() == 1 - assert Project.objects.filter(organization=org1).count() == 0 - assert Project.objects.filter(organization=org2).count() == 0 - - project.deprecated_organizations.add(org1) - project.deprecated_organizations.add(org2) - assert project.organization is None - rbac.migrate_projects(apps, None) - assert Project.objects.filter(organization=org1).count() == 1 - assert Project.objects.filter(organization=org2).count() == 1 - - -@pytest.mark.django_db -def test_project_user_project(user_project, project, user): - u = user('owner') - - assert old_access.check_user_access(u, user_project.__class__, 'read', user_project) - assert old_access.check_user_access(u, project.__class__, 'read', project) is False - - assert u not in user_project.read_role - assert u not in project.read_role - rbac.migrate_projects(apps, None) - assert u in user_project.read_role - assert u not in project.read_role - - -@pytest.mark.django_db -def test_project_accessible_by_sa(user, project): - u = user('systemadmin', is_superuser=True) - # This gets setup by a signal, but we want to test the migration which will set this up too, so remove it - Role.singleton('system_administrator').members.remove(u) - - assert u not in project.read_role - rbac.migrate_organization(apps, None) - rbac.migrate_users(apps, None) - rbac.migrate_projects(apps, None) - print(project.admin_role.ancestors.all()) - print(project.admin_role.ancestors.all()) - assert u in project.admin_role - - -@pytest.mark.django_db -def test_project_org_members(user, organization, project): - admin = user('orgadmin') - member = user('orgmember') - - assert admin not in project.read_role - assert member not in project.read_role - - organization.deprecated_admins.add(admin) - organization.deprecated_users.add(member) - - rbac.migrate_organization(apps, None) - rbac.migrate_projects(apps, None) - - assert admin in project.admin_role - assert member in project.read_role - - -@pytest.mark.django_db -def test_project_team(user, team, project): - nonmember = user('nonmember') - member = user('member') - - team.deprecated_users.add(member) - project.deprecated_teams.add(team) - - assert nonmember not in project.read_role - assert member not in project.read_role - - rbac.migrate_team(apps, None) - rbac.migrate_organization(apps, None) - rbac.migrate_projects(apps, None) - - assert member in project.read_role - assert nonmember not in project.read_role - - -@pytest.mark.django_db -def test_project_explicit_permission(user, team, project, organization): - u = user('prjuser') - - assert old_access.check_user_access(u, project.__class__, 'read', project) is False - - organization.deprecated_users.add(u) - p = Permission(user=u, project=project, permission_type='create', name='Perm name') - p.save() - - assert u not in project.read_role - - rbac.migrate_organization(apps, None) - rbac.migrate_projects(apps, None) - - assert u in project.read_role - - -@pytest.mark.django_db -def test_create_project_foreign_org_admin(org_admin, organization, organization_factory): - """Org admins can only create projects in their own org.""" - other_org = organization_factory('not-my-org').organization - access = ProjectAccess(org_admin) - assert not access.can_add({'organization': other_org.pk, 'name': 'new-project'}) - - -@pytest.mark.django_db -def test_modify_project_foreign_org_admin(org_admin, organization, organization_factory, project): - """Org admins can only modify projects in their own org.""" - other_org = organization_factory('not-my-org').organization - access = ProjectAccess(org_admin) - assert not access.can_change(project, {'organization': other_org.pk, 'name': 'new-project'}) diff --git a/awx/main/tests/functional/test_rbac_user.py b/awx/main/tests/functional/test_rbac_user.py index c7eaa8c0e9..8f307ea0e3 100644 --- a/awx/main/tests/functional/test_rbac_user.py +++ b/awx/main/tests/functional/test_rbac_user.py @@ -1,11 +1,9 @@ import pytest -from django.apps import apps from django.test import TransactionTestCase -from awx.main.migrations import _rbac as rbac from awx.main.access import UserAccess -from awx.main.models import Role, User, Organization, Inventory +from awx.main.models import User, Organization, Inventory @pytest.mark.django_db @@ -46,28 +44,6 @@ def test_system_auditor_is_system_auditor(system_auditor): assert system_auditor.is_system_auditor -@pytest.mark.django_db -def test_user_admin(user_project, project, user): - username = unicode("\xc3\xb4", "utf-8") - - joe = user(username, is_superuser = False) - admin = user('admin', is_superuser = True) - sa = Role.singleton('system_administrator') - - # this should happen automatically with our signal - assert sa.members.filter(id=admin.id).exists() is True - sa.members.remove(admin) - - assert sa.members.filter(id=joe.id).exists() is False - assert sa.members.filter(id=admin.id).exists() is False - - rbac.migrate_users(apps, None) - - # The migration should add the admin back in - assert sa.members.filter(id=joe.id).exists() is False - assert sa.members.filter(id=admin.id).exists() is True - - @pytest.mark.django_db def test_user_queryset(user): u = user('pete', False) diff --git a/awx/main/tests/job_base.py b/awx/main/tests/job_base.py index d24d19611a..1f195c831d 100644 --- a/awx/main/tests/job_base.py +++ b/awx/main/tests/job_base.py @@ -394,93 +394,6 @@ class BaseJobTestMixin(BaseTestMixin): ) self.team_ops_testers.member_role.children.add(self.cred_ops_test.use_role) - self.ops_east_permission = Permission.objects.create( - inventory = self.inv_ops_east, - project = self.proj_prod, - team = self.team_ops_east, - permission_type = PERM_JOBTEMPLATE_CREATE, - created_by = self.user_sue - ) - - self.ops_east_permission_prod_east = Permission.objects.create( - inventory = self.inv_ops_east, - project = self.proj_prod_east, - team = self.team_ops_east, - permission_type = PERM_JOBTEMPLATE_CREATE, - created_by = self.user_sue - ) - - self.ops_east_permission_inv_admin = Permission.objects.create( - inventory = self.inv_ops_east, - team = self.team_ops_east, - permission_type = PERM_INVENTORY_ADMIN, - created_by = self.user_sue - ) - - self.ops_testers_permission = Permission.objects.create( - inventory = self.inv_ops_west, - project = self.proj_prod, - team = self.team_ops_testers, - permission_type = PERM_INVENTORY_CHECK, - created_by = self.user_sue - ) - - self.ops_testers_permission_inv_read = Permission.objects.create( - inventory = self.inv_ops_west, - team = self.team_ops_testers, - permission_type = PERM_INVENTORY_READ, - created_by = self.user_sue - ) - - self.doug_check_permission = Permission.objects.create( - inventory = self.inv_eng, - project = self.proj_dev, - user = self.user_doug, - permission_type = PERM_INVENTORY_CHECK, - created_by = self.user_sue - ) - - self.doug_inv_read_permission = Permission.objects.create( - inventory = self.inv_eng, - user = self.user_doug, - permission_type = PERM_INVENTORY_READ, - created_by = self.user_sue - ) - - self.juan_deploy_permission = Permission.objects.create( - inventory = self.inv_eng, - project = self.proj_dev, - user = self.user_juan, - permission_type = PERM_INVENTORY_DEPLOY, - created_by = self.user_sue - ) - - self.hannibal_create_permission = Permission.objects.create( - inventory = self.inv_eng, - project = self.proj_dev, - user = self.user_hannibal, - permission_type = PERM_JOBTEMPLATE_CREATE, - created_by = self.user_sue - ) - - # FIXME: Define explicit permissions for tests. - # other django user is on the project team and can deploy - #self.permission1 = Permission.objects.create( - # inventory = self.inventory, - # project = self.project, - # team = self.team, - # permission_type = PERM_INVENTORY_DEPLOY, - # created_by = self.normal_django_user - #) - # individual permission granted to other2 user, can run check mode - #self.permission2 = Permission.objects.create( - # inventory = self.inventory, - # project = self.project, - # user = self.other2_django_user, - # permission_type = PERM_INVENTORY_CHECK, - # created_by = self.normal_django_user - #) - # Engineering has job templates to check/run the dev project onto # their own inventory. self.jt_eng_check = JobTemplate.objects.create( diff --git a/awx/main/tests/old/jobs/jobs_monolithic.py b/awx/main/tests/old/jobs/jobs_monolithic.py index e17c7a5604..6d4d25aae9 100644 --- a/awx/main/tests/old/jobs/jobs_monolithic.py +++ b/awx/main/tests/old/jobs/jobs_monolithic.py @@ -244,40 +244,6 @@ class JobTemplateTest(BaseJobTestMixin, django.test.TransactionTestCase): #print [x['name'] for x in resp['results']] self.assertEquals(resp['count'], 0) - # We give Juan inventory permission and he can see both Job Templates because he already has deploy permission - # Now he can see both job templates - Permission.objects.create( - inventory = self.inv_eng, - user = self.user_juan, - permission_type = PERM_INVENTORY_READ, - created_by = self.user_sue - ) - with self.current_user(self.user_juan): - resp = self.get(url, expect=200) - #print [x['name'] for x in resp['results']] - self.assertEquals(resp['count'], 2) - - # Randall is on the ops testers team that has permission to run a single check playbook on ops west - with self.current_user(self.user_randall): - resp = self.get(url, expect=200) - #print [x['name'] for x in resp['results']] - self.assertEquals(resp['count'], 1) - - # Holly is on the ops east team and can see all of that team's job templates - with self.current_user(self.user_holly): - resp = self.get(url, expect=200) - #print [x['name'] for x in resp['results']] - self.assertEquals(resp['count'], 3) - - # Chuck is temporarily assigned to ops east team to help them running some playbooks - # even though he's in a different group and org entirely he'll now see their job templates - self.team_ops_east.deprecated_users.add(self.user_chuck) - with self.current_user(self.user_chuck): - resp = self.get(url, expect=200) - #print [x['name'] for x in resp['results']] - self.assertEquals(resp['count'], 6) - - def test_credentials_list(self): url = reverse('api:credential_list') # Greg can't see the 'south' credential because the 'southerns' team is inactive