Merge branch 'rbac' of github.com:ansible/ansible-tower into rbac

2026-05-11 19:37:38 -02:30 · 2016-03-18 11:17:04 -04:00
parent ccfb73766c 3a11bca31f
commit 13dd27ac52
5 changed files with 228 additions and 49 deletions
--- a/awx/main/tests/functional/test_rbac_credential.py
+++ b/awx/main/tests/functional/test_rbac_credential.py
@@ -2,6 +2,8 @@ import pytest

 from awx.main.access import CredentialAccess
 from awx.main.models.credential import Credential
+from awx.main.models.jobs import JobTemplate
+from awx.main.models.inventory import InventorySource
 from awx.main.migrations import _rbac as rbac
 from django.apps import apps
 from django.contrib.auth.models import User
@@ -49,9 +51,6 @@ def test_credential_migration_team_admin(credential, team, user, permissions):
    credential.team = team
    credential.save()

-    # No permissions pre-migration
-    team.admin_role.children.remove(credential.owner_role)
-    team.member_role.children.remove(credential.usage_role)
    assert not credential.accessible_by(u, permissions['usage'])

    # Usage permissions post migration
@@ -76,17 +75,15 @@ def test_credential_access_admin(user, team, credential):
    access = CredentialAccess(u)

    assert access.can_add({'user': u.pk})
-    assert access.can_add({'team': team.pk})
-
    assert not access.can_change(credential, {'user': u.pk})

-    # unowned credential can be deleted
-    assert access.can_delete(credential)
+    # unowned credential is superuser only
+    assert not access.can_delete(credential)

    # credential is now part of a team
    # that is part of an organization
    # that I am an admin for
-    credential.team = team
+    credential.owner_role.parents.add(team.admin_role)
    credential.save()
    credential.owner_role.rebuild_role_ancestor_list()

@@ -96,3 +93,114 @@ def test_credential_access_admin(user, team, credential):

    # should have can_change access as org-admin
    assert access.can_change(credential, {'user': u.pk})
+
+@pytest.mark.django_db
+def test_cred_job_template(user, deploy_jobtemplate):
+    a = user('admin', False)
+    org = deploy_jobtemplate.project.organization
+    org.admin_role.members.add(a)
+
+    cred = deploy_jobtemplate.credential
+    cred.user = user('john', False)
+    cred.save()
+
+    access = CredentialAccess(a)
+    rbac.migrate_credential(apps, None)
+    assert access.can_change(cred, {'organization': org.pk})
+
+    org.admin_role.members.remove(a)
+    assert not access.can_change(cred, {'organization': org.pk})
+
+@pytest.mark.django_db
+def test_cred_multi_job_template_single_org(user, deploy_jobtemplate):
+    a = user('admin', False)
+    org = deploy_jobtemplate.project.organization
+    org.admin_role.members.add(a)
+
+    cred = deploy_jobtemplate.credential
+    cred.user = user('john', False)
+    cred.save()
+
+    access = CredentialAccess(a)
+    rbac.migrate_credential(apps, None)
+    assert access.can_change(cred, {'organization': org.pk})
+
+    org.admin_role.members.remove(a)
+    assert not access.can_change(cred, {'organization': org.pk})
+
+@pytest.mark.django_db
+def test_single_cred_multi_job_template_multi_org(user, organizations, credential):
+    orgs = organizations(2)
+    jts = []
+    for org in orgs:
+        inv = org.inventories.create(name="inv-%d" % org.pk)
+        jt = JobTemplate.objects.create(
+            inventory=inv,
+            credential=credential,
+            name="test-jt-org-%d" % org.pk,
+            job_type='check',
+        )
+        jts.append(jt)
+
+    a = user('admin', False)
+    orgs[0].admin_role.members.add(a)
+    orgs[1].admin_role.members.add(a)
+
+    access = CredentialAccess(a)
+    rbac.migrate_credential(apps, None)
+
+    for jt in jts:
+        jt.refresh_from_db()
+
+    assert jts[0].credential != jts[1].credential
+    assert access.can_change(jts[0].credential, {'organization': org.pk})
+    assert access.can_change(jts[1].credential, {'organization': org.pk})
+
+    orgs[0].admin_role.members.remove(a)
+    assert not access.can_change(jts[0].credential, {'organization': org.pk})
+
+@pytest.mark.django_db
+def test_cred_inventory_source(user, inventory, credential):
+    u = user('member', False)
+    inventory.organization.member_role.members.add(u)
+
+    InventorySource.objects.create(
+        name="test-inv-src",
+        credential=credential,
+        inventory=inventory,
+    )
+
+    assert not credential.accessible_by(u, {'use':True})
+
+    rbac.migrate_credential(apps, None)
+    assert credential.accessible_by(u, {'use':True})
+
+@pytest.mark.django_db
+def test_cred_project(user, credential, project):
+    u = user('member', False)
+    project.organization.member_role.members.add(u)
+    project.credential = credential
+    project.save()
+
+    assert not credential.accessible_by(u, {'use':True})
+
+    rbac.migrate_credential(apps, None)
+    assert credential.accessible_by(u, {'use':True})
+
+@pytest.mark.django_db
+def test_cred_no_org(user, credential):
+    su = user('su', True)
+    access = CredentialAccess(su)
+    assert access.can_change(credential, {'user': su.pk})
+
+@pytest.mark.django_db
+def test_cred_team(user, team, credential):
+    u = user('a', False)
+    team.member_role.members.add(u)
+    credential.team = team
+    credential.save()
+
+    assert not credential.accessible_by(u, {'use':True})
+
+    rbac.migrate_credential(apps, None)
+    assert credential.accessible_by(u, {'use':True})