External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-05-11 03:17:38 -02:30
Code Issues Packages Projects Releases Wiki Activity

Initial pass of removing RBAC deprecated fields and Permission

Browse Source
This commit is contained in:
Wayne Witzel III
2017-05-02 13:46:20 -04:00
parent 6fe133dc7f
commit 11eb99820d
14 changed files with 2 additions and 1130 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
awx/main/tests/functional/conftest.py
View File

@@ -19,7 +19,6 @@ from jsonbfield.fields import JSONField
# AWX
from awx.main.models.projects import Project
from awx.main.models.base import PERM_INVENTORY_READ
from awx.main.models.ha import Instance
from awx.main.models.fact import Fact
@@ -38,7 +37,6 @@ from awx.main.models.inventory import (
)
from awx.main.models.organization import (
Organization,
Permission,
Team,
)
from awx.main.models.rbac import Role
@@ -528,11 +526,6 @@ def fact_services_json():
return _fact_json('services')
@pytest.fixture
def permission_inv_read(organization, inventory, team):
return Permission.objects.create(inventory=inventory, team=team, permission_type=PERM_INVENTORY_READ)
@pytest.fixture
def job_template(organization):
jt = JobTemplate(name='test-job_template')

18
awx/main/tests/functional/test_inventory_source_migration.py
View File

@@ -25,21 +25,3 @@ def test_inv_src_rename(inventory_source_factory):
inv_src01.refresh_from_db()
# inv-is-t1 is generated in the inventory_source_factory
assert inv_src01.name == 't1 - inv-is-t1 - 0'
@pytest.mark.django_db
def test_inv_src_nolink_removal(inventory_source_factory):
inventory_source_factory('t1')
inv_src02 = inventory_source_factory('t2')
inv_src02.inventory = None
inv_src02.deprecated_group = None
inv_src02.save()
assert InventorySource.objects.count() == 2
invsrc.remove_inventory_source_with_no_inventory_link(apps, None)
objs = InventorySource.objects.all()
assert len(objs) == 1
assert 't1' in objs[0].name

259
awx/main/tests/functional/test_rbac_credential.py
View File

@@ -2,40 +2,9 @@ import pytest
from awx.main.access import CredentialAccess
from awx.main.models.credential import Credential
from awx.main.models.jobs import JobTemplate
from awx.main.models.inventory import InventorySource
from awx.main.migrations import _rbac as rbac
from django.apps import apps
from django.contrib.auth.models import User
@pytest.mark.django_db
def test_credential_migration_user(credential, user, permissions):
u = user('user', False)
credential.deprecated_user = u
credential.save()
rbac.migrate_credential(apps, None)
assert u in credential.admin_role
@pytest.mark.django_db
def test_two_teams_same_cred_name(organization_factory, credentialtype_net):
objects = organization_factory("test",
teams=["team1", "team2"])
cred1 = Credential.objects.create(name="test", credential_type=credentialtype_net, deprecated_team=objects.teams.team1)
cred2 = Credential.objects.create(name="test", credential_type=credentialtype_net, deprecated_team=objects.teams.team2)
rbac.migrate_credential(apps, None)
assert objects.teams.team1.admin_role in cred1.admin_role.parents.all()
assert objects.teams.team2.admin_role in cred2.admin_role.parents.all()
assert objects.teams.team1.member_role in cred1.use_role.parents.all()
assert objects.teams.team2.member_role in cred2.use_role.parents.all()
@pytest.mark.django_db
def test_credential_use_role(credential, user, permissions):
u = user('user', False)
@@ -43,59 +12,6 @@ def test_credential_use_role(credential, user, permissions):
assert u in credential.use_role
@pytest.mark.django_db
def test_credential_migration_team_member(credential, team, user, permissions):
u = user('user', False)
team.member_role.members.add(u)
credential.deprecated_team = team
credential.save()
# No permissions pre-migration (this happens automatically so we patch this)
team.admin_role.children.remove(credential.admin_role)
team.member_role.children.remove(credential.use_role)
assert u not in credential.admin_role
rbac.migrate_credential(apps, None)
# User permissions post migration
assert u in credential.use_role
assert u not in credential.admin_role
@pytest.mark.django_db
def test_credential_migration_team_admin(credential, team, user, permissions):
u = user('user', False)
team.admin_role.members.add(u)
credential.deprecated_team = team
credential.save()
assert u not in credential.use_role
# Admin permissions post migration
rbac.migrate_credential(apps, None)
assert u in credential.admin_role
@pytest.mark.django_db
def test_credential_migration_org_auditor(credential, team, org_auditor):
# Team's organization is the org_auditor's org
credential.deprecated_team = team
credential.save()
# No permissions pre-migration (this happens automatically so we patch this)
team.admin_role.children.remove(credential.admin_role)
team.member_role.children.remove(credential.use_role)
assert org_auditor not in credential.read_role
rbac.migrate_credential(apps, None)
rbac.infer_credential_org_from_team(apps, None)
# Read permissions post migration
assert org_auditor not in credential.use_role
assert org_auditor in credential.read_role
def test_credential_access_superuser():
u = User(username='admin', is_superuser=True)
access = CredentialAccess(u)
@@ -118,33 +34,6 @@ def test_credential_access_auditor(credential, organization_factory):
assert access.can_read(credential)
@pytest.mark.django_db
def test_credential_access_admin(user, team, credential, credentialtype_aws):
u = user('org-admin', False)
team.organization.admin_role.members.add(u)
access = CredentialAccess(u)
assert access.can_add({'user': u.pk})
assert not access.can_change(credential, {'user': u.pk})
# unowned credential is superuser only
assert not access.can_delete(credential)
# credential is now part of a team
# that is part of an organization
# that I am an admin for
credential.admin_role.parents.add(team.admin_role)
credential.save()
cred = Credential.objects.create(credential_type=credentialtype_aws, name='test-cred')
cred.deprecated_team = team
cred.save()
# should have can_change access as org-admin
assert access.can_change(credential, {'description': 'New description.'})
@pytest.mark.django_db
def test_org_credential_access_member(alice, org_credential, credential):
org_credential.admin_role.members.add(alice)
@@ -163,156 +52,8 @@ def test_org_credential_access_member(alice, org_credential, credential):
'organization': None})
@pytest.mark.django_db
def test_cred_job_template_xfail(user, deploy_jobtemplate):
' Personal credential migration '
a = user('admin', False)
org = deploy_jobtemplate.project.organization
org.admin_role.members.add(a)
cred = deploy_jobtemplate.credential
cred.deprecated_user = user('john', False)
cred.save()
access = CredentialAccess(a)
rbac.migrate_credential(apps, None)
assert not access.can_change(cred, {'organization': org.pk})
@pytest.mark.django_db
def test_cred_job_template(user, team, deploy_jobtemplate):
' Team credential migration => org credential '
a = user('admin', False)
org = deploy_jobtemplate.project.organization
org.admin_role.members.add(a)
cred = deploy_jobtemplate.credential
cred.deprecated_team = team
cred.save()
access = CredentialAccess(a)
rbac.migrate_credential(apps, None)
cred.refresh_from_db()
assert access.can_change(cred, {'organization': org.pk})
org.admin_role.members.remove(a)
assert not access.can_change(cred, {'organization': org.pk})
@pytest.mark.django_db
def test_cred_multi_job_template_single_org_xfail(user, deploy_jobtemplate):
a = user('admin', False)
org = deploy_jobtemplate.project.organization
org.admin_role.members.add(a)
cred = deploy_jobtemplate.credential
cred.deprecated_user = user('john', False)
cred.save()
access = CredentialAccess(a)
rbac.migrate_credential(apps, None)
cred.refresh_from_db()
assert not access.can_change(cred, {'organization': org.pk})
@pytest.mark.django_db
def test_cred_multi_job_template_single_org(user, team, deploy_jobtemplate):
a = user('admin', False)
org = deploy_jobtemplate.project.organization
org.admin_role.members.add(a)
cred = deploy_jobtemplate.credential
cred.deprecated_team = team
cred.save()
access = CredentialAccess(a)
rbac.migrate_credential(apps, None)
cred.refresh_from_db()
assert access.can_change(cred, {'organization': org.pk})
org.admin_role.members.remove(a)
assert not access.can_change(cred, {'organization': org.pk})
@pytest.mark.django_db
def test_single_cred_multi_job_template_multi_org(user, organizations, credential, team):
orgs = organizations(2)
credential.deprecated_team = team
credential.save()
jts = []
for org in orgs:
inv = org.inventories.create(name="inv-%d" % org.pk)
jt = JobTemplate.objects.create(
inventory=inv,
credential=credential,
name="test-jt-org-%d" % org.pk,
job_type='check',
)
jts.append(jt)
a = user('admin', False)
orgs[0].admin_role.members.add(a)
orgs[1].admin_role.members.add(a)
rbac.migrate_credential(apps, None)
for jt in jts:
jt.refresh_from_db()
credential.refresh_from_db()
assert jts[0].credential != jts[1].credential
@pytest.mark.django_db
def test_cred_inventory_source(user, inventory, credential):
u = user('member', False)
inventory.organization.member_role.members.add(u)
InventorySource.objects.create(
name="test-inv-src",
credential=credential,
inventory=inventory,
)
assert u not in credential.use_role
rbac.migrate_credential(apps, None)
assert u not in credential.use_role
@pytest.mark.django_db
def test_cred_project(user, credential, project):
u = user('member', False)
project.organization.member_role.members.add(u)
project.credential = credential
project.save()
assert u not in credential.use_role
rbac.migrate_credential(apps, None)
assert u not in credential.use_role
@pytest.mark.django_db
def test_cred_no_org(user, credential):
su = user('su', True)
access = CredentialAccess(su)
assert access.can_change(credential, {'user': su.pk})
@pytest.mark.django_db
def test_cred_team(user, team, credential):
u = user('a', False)
team.member_role.members.add(u)
credential.deprecated_team = team
credential.save()
assert u not in credential.use_role
rbac.migrate_credential(apps, None)
assert u in credential.use_role

155
awx/main/tests/functional/test_rbac_inventory.py
View File

@@ -1,8 +1,6 @@
import pytest
from awx.main.migrations import _rbac as rbac
from awx.main.models import (
Permission,
Host,
CustomInventoryScript,
Schedule
@@ -15,7 +13,6 @@ from awx.main.access import (
CustomInventoryScriptAccess,
ScheduleAccess
)
from django.apps import apps
@pytest.mark.django_db
@@ -54,158 +51,6 @@ def test_org_member_inventory_script_permissions(org_member, organization):
assert not access.can_change(custom_inv, {'name': 'ed-test'})
@pytest.mark.django_db
def test_inventory_admin_user(inventory, permissions, user):
u = user('admin', False)
perm = Permission(user=u, inventory=inventory, permission_type='admin')
perm.save()
assert u not in inventory.admin_role
rbac.migrate_inventory(apps, None)
assert u in inventory.admin_role
assert inventory.use_role.members.filter(id=u.id).exists() is False
assert inventory.update_role.members.filter(id=u.id).exists() is False
@pytest.mark.django_db
def test_inventory_auditor_user(inventory, permissions, user):
u = user('auditor', False)
perm = Permission(user=u, inventory=inventory, permission_type='read')
perm.save()
assert u not in inventory.admin_role
assert u not in inventory.read_role
rbac.migrate_inventory(apps, None)
assert u not in inventory.admin_role
assert u in inventory.read_role
assert inventory.use_role.members.filter(id=u.id).exists() is False
assert inventory.update_role.members.filter(id=u.id).exists() is False
@pytest.mark.django_db
def test_inventory_updater_user(inventory, permissions, user):
u = user('updater', False)
perm = Permission(user=u, inventory=inventory, permission_type='write')
perm.save()
assert u not in inventory.admin_role
assert u not in inventory.read_role
rbac.migrate_inventory(apps, None)
assert u not in inventory.admin_role
assert inventory.use_role.members.filter(id=u.id).exists() is False
assert inventory.update_role.members.filter(id=u.id).exists()
@pytest.mark.django_db
def test_inventory_executor_user(inventory, permissions, user):
u = user('executor', False)
perm = Permission(user=u, inventory=inventory, permission_type='read', run_ad_hoc_commands=True)
perm.save()
assert u not in inventory.admin_role
assert u not in inventory.read_role
rbac.migrate_inventory(apps, None)
assert u not in inventory.admin_role
assert u in inventory.read_role
assert inventory.use_role.members.filter(id=u.id).exists()
assert inventory.update_role.members.filter(id=u.id).exists() is False
@pytest.mark.django_db
def test_inventory_admin_team(inventory, permissions, user, team):
u = user('admin', False)
perm = Permission(team=team, inventory=inventory, permission_type='admin')
perm.save()
team.deprecated_users.add(u)
assert u not in inventory.admin_role
rbac.migrate_team(apps, None)
rbac.migrate_inventory(apps, None)
assert team.member_role.members.count() == 1
assert inventory.admin_role.members.filter(id=u.id).exists() is False
assert inventory.read_role.members.filter(id=u.id).exists() is False
assert inventory.use_role.members.filter(id=u.id).exists() is False
assert inventory.update_role.members.filter(id=u.id).exists() is False
assert u in inventory.read_role
assert u in inventory.admin_role
@pytest.mark.django_db
def test_inventory_auditor(inventory, permissions, user, team):
u = user('auditor', False)
perm = Permission(team=team, inventory=inventory, permission_type='read')
perm.save()
team.deprecated_users.add(u)
assert u not in inventory.admin_role
assert u not in inventory.read_role
rbac.migrate_team(apps,None)
rbac.migrate_inventory(apps, None)
assert team.member_role.members.count() == 1
assert inventory.admin_role.members.filter(id=u.id).exists() is False
assert inventory.read_role.members.filter(id=u.id).exists() is False
assert inventory.use_role.members.filter(id=u.id).exists() is False
assert inventory.update_role.members.filter(id=u.id).exists() is False
assert u in inventory.read_role
assert u not in inventory.admin_role
@pytest.mark.django_db
def test_inventory_updater(inventory, permissions, user, team):
u = user('updater', False)
perm = Permission(team=team, inventory=inventory, permission_type='write')
perm.save()
team.deprecated_users.add(u)
assert u not in inventory.admin_role
assert u not in inventory.read_role
rbac.migrate_team(apps,None)
rbac.migrate_inventory(apps, None)
assert team.member_role.members.count() == 1
assert inventory.admin_role.members.filter(id=u.id).exists() is False
assert inventory.read_role.members.filter(id=u.id).exists() is False
assert inventory.use_role.members.filter(id=u.id).exists() is False
assert inventory.update_role.members.filter(id=u.id).exists() is False
assert team.member_role.is_ancestor_of(inventory.update_role)
assert team.member_role.is_ancestor_of(inventory.use_role) is False
@pytest.mark.django_db
def test_inventory_executor(inventory, permissions, user, team):
u = user('executor', False)
perm = Permission(team=team, inventory=inventory, permission_type='read', run_ad_hoc_commands=True)
perm.save()
team.deprecated_users.add(u)
assert u not in inventory.admin_role
assert u not in inventory.read_role
rbac.migrate_team(apps, None)
rbac.migrate_inventory(apps, None)
assert team.member_role.members.count() == 1
assert inventory.admin_role.members.filter(id=u.id).exists() is False
assert inventory.read_role.members.filter(id=u.id).exists() is False
assert inventory.use_role.members.filter(id=u.id).exists() is False
assert inventory.update_role.members.filter(id=u.id).exists() is False
assert team.member_role.is_ancestor_of(inventory.update_role) is False
assert team.member_role.is_ancestor_of(inventory.use_role)
@pytest.mark.django_db
def test_access_admin(organization, inventory, user):
a = user('admin', False)

140
awx/main/tests/functional/test_rbac_job_templates.py
View File

@@ -7,12 +7,8 @@ from awx.main.access import (
JobTemplateAccess,
ScheduleAccess
)
from awx.main.migrations import _rbac as rbac
from awx.main.models import Permission
from awx.main.models.jobs import JobTemplate
from awx.main.models.schedules import Schedule
from django.apps import apps
@pytest.fixture
@@ -23,142 +19,6 @@ def jt_objects(job_template_factory):
return objects
@pytest.mark.django_db
def test_job_template_migration_check(credential, deploy_jobtemplate, check_jobtemplate, user):
admin = user('admin', is_superuser=True)
joe = user('joe')
credential.deprecated_user = joe
credential.save()
check_jobtemplate.project.organization.deprecated_users.add(joe)
Permission(user=joe, inventory=check_jobtemplate.inventory, permission_type='read').save()
Permission(user=joe, inventory=check_jobtemplate.inventory,
project=check_jobtemplate.project, permission_type='check').save()
rbac.migrate_users(apps, None)
rbac.migrate_organization(apps, None)
rbac.migrate_projects(apps, None)
rbac.migrate_inventory(apps, None)
assert joe in check_jobtemplate.project.read_role
assert admin in check_jobtemplate.execute_role
assert joe not in check_jobtemplate.execute_role
rbac.migrate_job_templates(apps, None)
assert admin in check_jobtemplate.execute_role
assert joe in check_jobtemplate.execute_role
assert admin in deploy_jobtemplate.execute_role
assert joe not in deploy_jobtemplate.execute_role
@pytest.mark.django_db
def test_job_template_migration_deploy(credential, deploy_jobtemplate, check_jobtemplate, user):
admin = user('admin', is_superuser=True)
joe = user('joe')
credential.deprecated_user = joe
credential.save()
deploy_jobtemplate.project.organization.deprecated_users.add(joe)
Permission(user=joe, inventory=deploy_jobtemplate.inventory, permission_type='read').save()
Permission(user=joe, inventory=deploy_jobtemplate.inventory,
project=deploy_jobtemplate.project, permission_type='run').save()
rbac.migrate_users(apps, None)
rbac.migrate_organization(apps, None)
rbac.migrate_projects(apps, None)
rbac.migrate_inventory(apps, None)
assert joe in deploy_jobtemplate.project.read_role
assert admin in deploy_jobtemplate.execute_role
assert joe not in deploy_jobtemplate.execute_role
rbac.migrate_job_templates(apps, None)
assert admin in deploy_jobtemplate.execute_role
assert joe in deploy_jobtemplate.execute_role
assert admin in check_jobtemplate.execute_role
assert joe in check_jobtemplate.execute_role
@pytest.mark.django_db
def test_job_template_team_migration_check(credential, deploy_jobtemplate, check_jobtemplate, organization, team, user):
admin = user('admin', is_superuser=True)
joe = user('joe')
team.deprecated_users.add(joe)
team.organization = organization
team.save()
credential.deprecated_team = team
credential.save()
check_jobtemplate.project.organization.deprecated_users.add(joe)
Permission(team=team, inventory=check_jobtemplate.inventory, permission_type='read').save()
Permission(team=team, inventory=check_jobtemplate.inventory,
project=check_jobtemplate.project, permission_type='check').save()
rbac.migrate_users(apps, None)
rbac.migrate_team(apps, None)
rbac.migrate_organization(apps, None)
rbac.migrate_projects(apps, None)
rbac.migrate_inventory(apps, None)
assert joe not in check_jobtemplate.read_role
assert admin in check_jobtemplate.execute_role
assert joe not in check_jobtemplate.execute_role
rbac.migrate_job_templates(apps, None)
assert admin in check_jobtemplate.execute_role
assert joe in check_jobtemplate.execute_role
assert admin in deploy_jobtemplate.execute_role
assert joe not in deploy_jobtemplate.execute_role
@pytest.mark.django_db
def test_job_template_team_deploy_migration(credential, deploy_jobtemplate, check_jobtemplate, organization, team, user):
admin = user('admin', is_superuser=True)
joe = user('joe')
team.deprecated_users.add(joe)
team.organization = organization
team.save()
credential.deprecated_team = team
credential.save()
deploy_jobtemplate.project.organization.deprecated_users.add(joe)
Permission(team=team, inventory=deploy_jobtemplate.inventory, permission_type='read').save()
Permission(team=team, inventory=deploy_jobtemplate.inventory,
project=deploy_jobtemplate.project, permission_type='run').save()
rbac.migrate_users(apps, None)
rbac.migrate_team(apps, None)
rbac.migrate_organization(apps, None)
rbac.migrate_projects(apps, None)
rbac.migrate_inventory(apps, None)
assert joe not in deploy_jobtemplate.read_role
assert admin in deploy_jobtemplate.execute_role
assert joe not in deploy_jobtemplate.execute_role
rbac.migrate_job_templates(apps, None)
assert joe in deploy_jobtemplate.read_role
assert admin in deploy_jobtemplate.execute_role
assert joe in deploy_jobtemplate.execute_role
assert admin in check_jobtemplate.execute_role
assert joe in check_jobtemplate.execute_role
@mock.patch.object(BaseAccess, 'check_license', return_value=None)
@pytest.mark.django_db
def test_job_template_access_superuser(check_license, user, deploy_jobtemplate):

44
awx/main/tests/functional/test_rbac_organization.py
View File

@@ -1,54 +1,10 @@
import mock
import pytest
from awx.main.migrations import _rbac as rbac
from awx.main.access import (
BaseAccess,
OrganizationAccess,
)
from django.apps import apps
@pytest.mark.django_db
def test_organization_migration_admin(organization, permissions, user):
u = user('admin', False)
organization.deprecated_admins.add(u)
# Undo some automatic work that we're supposed to be testing with our migration
organization.admin_role.members.remove(u)
assert u not in organization.admin_role
rbac.migrate_organization(apps, None)
assert u in organization.admin_role
@pytest.mark.django_db
def test_organization_migration_user(organization, permissions, user):
u = user('user', False)
organization.deprecated_users.add(u)
# Undo some automatic work that we're supposed to be testing with our migration
organization.member_role.members.remove(u)
assert u not in organization.read_role
rbac.migrate_organization(apps, None)
assert u in organization.read_role
@mock.patch.object(BaseAccess, 'check_license', return_value=None)
@pytest.mark.django_db
def test_organization_access_superuser(cl, organization, user):
access = OrganizationAccess(user('admin', True))
organization.deprecated_users.add(user('user', False))
assert access.can_change(organization, None)
assert access.can_delete(organization)
org = access.get_queryset()[0]
assert len(org.deprecated_admins.all()) == 0
assert len(org.deprecated_users.all()) == 1
@mock.patch.object(BaseAccess, 'check_license', return_value=None)

235
awx/main/tests/functional/test_rbac_project.py
View File

@@ -1,235 +0,0 @@
import pytest
from awx.main.migrations import _rbac as rbac
from awx.main.models import Role, Permission, Project, Organization, Credential, JobTemplate, Inventory
from awx.main.access import ProjectAccess
from django.apps import apps
from awx.main.migrations import _old_access as old_access
@pytest.mark.django_db
def test_project_migration(credentialtype_ssh):
'''
o1 o2 o3 with o1 -- i1 o2 -- i2
\ | /
\ | /
c1 ---- p1
/ | \
/ | \
jt1 jt2 jt3
| | |
i1 i2 i1
goes to
o1
|
|
c1 ---- p1
/ |
/ |
jt1 jt3
| |
i1 i1
o2
|
|
c1 ---- p2
|
|
jt2
|
i2
o3
|
|
c1 ---- p3
'''
o1 = Organization.objects.create(name='o1')
o2 = Organization.objects.create(name='o2')
o3 = Organization.objects.create(name='o3')
c1 = Credential.objects.create(name='c1', credential_type=credentialtype_ssh)
project_name = unicode("\xc3\xb4", "utf-8")
p1 = Project.objects.create(name=project_name, credential=c1)
p1.deprecated_organizations.add(o1, o2, o3)
i1 = Inventory.objects.create(name='i1', organization=o1)
i2 = Inventory.objects.create(name='i2', organization=o2)
jt1 = JobTemplate.objects.create(name='jt1', project=p1, inventory=i1)
jt2 = JobTemplate.objects.create(name='jt2', project=p1, inventory=i2)
jt3 = JobTemplate.objects.create(name='jt3', project=p1, inventory=i1)
assert o1.projects.count() == 0
assert o2.projects.count() == 0
assert o3.projects.count() == 0
rbac.migrate_projects(apps, None)
jt1 = JobTemplate.objects.get(pk=jt1.pk)
jt2 = JobTemplate.objects.get(pk=jt2.pk)
jt3 = JobTemplate.objects.get(pk=jt3.pk)
assert jt1.project == jt3.project
assert jt1.project != jt2.project
assert o1.projects.count() == 1
assert o2.projects.count() == 1
assert o3.projects.count() == 1
assert o1.projects.all()[0].jobtemplates.count() == 2
assert o2.projects.all()[0].jobtemplates.count() == 1
assert o3.projects.all()[0].jobtemplates.count() == 0
@pytest.mark.django_db
def test_single_org_project_migration(organization):
project = Project.objects.create(name='my project',
description="description",
organization=None)
organization.deprecated_projects.add(project)
assert project.organization is None
rbac.migrate_projects(apps, None)
project = Project.objects.get(id=project.id)
assert project.organization.id == organization.id
@pytest.mark.django_db
def test_no_org_project_migration(organization):
project = Project.objects.create(name='my project',
description="description",
organization=None)
assert project.organization is None
rbac.migrate_projects(apps, None)
assert project.organization is None
@pytest.mark.django_db
def test_multi_org_project_migration():
org1 = Organization.objects.create(name="org1", description="org1 desc")
org2 = Organization.objects.create(name="org2", description="org2 desc")
project = Project.objects.create(name='my project',
description="description",
organization=None)
assert Project.objects.all().count() == 1
assert Project.objects.filter(organization=org1).count() == 0
assert Project.objects.filter(organization=org2).count() == 0
project.deprecated_organizations.add(org1)
project.deprecated_organizations.add(org2)
assert project.organization is None
rbac.migrate_projects(apps, None)
assert Project.objects.filter(organization=org1).count() == 1
assert Project.objects.filter(organization=org2).count() == 1
@pytest.mark.django_db
def test_project_user_project(user_project, project, user):
u = user('owner')
assert old_access.check_user_access(u, user_project.__class__, 'read', user_project)
assert old_access.check_user_access(u, project.__class__, 'read', project) is False
assert u not in user_project.read_role
assert u not in project.read_role
rbac.migrate_projects(apps, None)
assert u in user_project.read_role
assert u not in project.read_role
@pytest.mark.django_db
def test_project_accessible_by_sa(user, project):
u = user('systemadmin', is_superuser=True)
# This gets setup by a signal, but we want to test the migration which will set this up too, so remove it
Role.singleton('system_administrator').members.remove(u)
assert u not in project.read_role
rbac.migrate_organization(apps, None)
rbac.migrate_users(apps, None)
rbac.migrate_projects(apps, None)
print(project.admin_role.ancestors.all())
print(project.admin_role.ancestors.all())
assert u in project.admin_role
@pytest.mark.django_db
def test_project_org_members(user, organization, project):
admin = user('orgadmin')
member = user('orgmember')
assert admin not in project.read_role
assert member not in project.read_role
organization.deprecated_admins.add(admin)
organization.deprecated_users.add(member)
rbac.migrate_organization(apps, None)
rbac.migrate_projects(apps, None)
assert admin in project.admin_role
assert member in project.read_role
@pytest.mark.django_db
def test_project_team(user, team, project):
nonmember = user('nonmember')
member = user('member')
team.deprecated_users.add(member)
project.deprecated_teams.add(team)
assert nonmember not in project.read_role
assert member not in project.read_role
rbac.migrate_team(apps, None)
rbac.migrate_organization(apps, None)
rbac.migrate_projects(apps, None)
assert member in project.read_role
assert nonmember not in project.read_role
@pytest.mark.django_db
def test_project_explicit_permission(user, team, project, organization):
u = user('prjuser')
assert old_access.check_user_access(u, project.__class__, 'read', project) is False
organization.deprecated_users.add(u)
p = Permission(user=u, project=project, permission_type='create', name='Perm name')
p.save()
assert u not in project.read_role
rbac.migrate_organization(apps, None)
rbac.migrate_projects(apps, None)
assert u in project.read_role
@pytest.mark.django_db
def test_create_project_foreign_org_admin(org_admin, organization, organization_factory):
"""Org admins can only create projects in their own org."""
other_org = organization_factory('not-my-org').organization
access = ProjectAccess(org_admin)
assert not access.can_add({'organization': other_org.pk, 'name': 'new-project'})
@pytest.mark.django_db
def test_modify_project_foreign_org_admin(org_admin, organization, organization_factory, project):
"""Org admins can only modify projects in their own org."""
other_org = organization_factory('not-my-org').organization
access = ProjectAccess(org_admin)
assert not access.can_change(project, {'organization': other_org.pk, 'name': 'new-project'})

26
awx/main/tests/functional/test_rbac_user.py
View File

@@ -1,11 +1,9 @@
import pytest
from django.apps import apps
from django.test import TransactionTestCase
from awx.main.migrations import _rbac as rbac
from awx.main.access import UserAccess
from awx.main.models import Role, User, Organization, Inventory
from awx.main.models import User, Organization, Inventory
@pytest.mark.django_db
@@ -46,28 +44,6 @@ def test_system_auditor_is_system_auditor(system_auditor):
assert system_auditor.is_system_auditor
@pytest.mark.django_db
def test_user_admin(user_project, project, user):
username = unicode("\xc3\xb4", "utf-8")
joe = user(username, is_superuser = False)
admin = user('admin', is_superuser = True)
sa = Role.singleton('system_administrator')
# this should happen automatically with our signal
assert sa.members.filter(id=admin.id).exists() is True
sa.members.remove(admin)
assert sa.members.filter(id=joe.id).exists() is False
assert sa.members.filter(id=admin.id).exists() is False
rbac.migrate_users(apps, None)
# The migration should add the admin back in
assert sa.members.filter(id=joe.id).exists() is False
assert sa.members.filter(id=admin.id).exists() is True
@pytest.mark.django_db
def test_user_queryset(user):
u = user('pete', False)