mirror of
https://github.com/ansible/awx.git
synced 2026-01-14 11:20:39 -03:30
Fixed up m2m_changed for rbac, added User.admin_role
This commit is contained in:
Wayne Witzel III
parent
80013e67bc
commit
31a461956a
@ -24,7 +24,8 @@ from awx.api.license import LicenseForbids
|
||||
from awx.main.task_engine import TaskSerializer
|
||||
|
||||
__all__ = ['get_user_queryset', 'check_user_access',
|
||||
'user_accessible_objects', 'user_accessible_by']
|
||||
'user_accessible_objects', 'user_accessible_by',
|
||||
'user_admin_role',]
|
||||
|
||||
PERMISSION_TYPES = [
|
||||
PERM_INVENTORY_ADMIN,
|
||||
@ -75,6 +76,10 @@ def register_access(model_class, access_class):
|
||||
access_classes = access_registry.setdefault(model_class, [])
|
||||
access_classes.append(access_class)
|
||||
|
||||
@property
|
||||
def user_admin_role(self):
|
||||
return Role.objects.get(content_type=ContentType.objects.get_for_model(User), object_id=self.id)
|
||||
|
||||
def user_accessible_objects(user, permissions):
|
||||
content_type = ContentType.objects.get_for_model(User)
|
||||
qs = RolePermission.objects.filter(
|
||||
|
||||
@ -201,12 +201,12 @@ class ImplicitRoleField(models.ForeignKey):
|
||||
|
||||
reverse = type(field) is ReverseManyRelatedObjectsDescriptor
|
||||
if reverse:
|
||||
m2m_changed.connect(self.m2m_update(field_attr, reverse), field.through)
|
||||
m2m_changed.connect(self.m2m_update(field_attr, reverse), field.through, weak=False)
|
||||
else:
|
||||
m2m_changed.connect(self.m2m_update(field_attr, reverse), field.related.through)
|
||||
m2m_changed.connect(self.m2m_update(field_attr, reverse), field.related.through, weak=False)
|
||||
|
||||
def m2m_update(self, field_attr, _reverse):
|
||||
def _m2m_update(self, sender, instance, action, reverse, model, pk_set, **kwargs):
|
||||
def _m2m_update(instance, action, model, pk_set, **kwargs):
|
||||
if action == 'post_add' or action == 'pre_remove':
|
||||
if _reverse:
|
||||
for pk in pk_set:
|
||||
|
||||
@ -180,10 +180,6 @@ class Migration(migrations.Migration):
|
||||
name='member_role',
|
||||
field=awx.main.fields.ImplicitRoleField(related_name='+', to='main.Role', null=b'True'),
|
||||
),
|
||||
migrations.AlterUniqueTogether(
|
||||
name='userresource',
|
||||
unique_together=set([('user', 'admin_role')]),
|
||||
),
|
||||
migrations.AlterIndexTogether(
|
||||
name='rolepermission',
|
||||
index_together=set([('content_type', 'object_id')]),
|
||||
|
||||
@ -18,7 +18,6 @@ from awx.main.models.activity_stream import * # noqa
|
||||
from awx.main.models.ha import * # noqa
|
||||
from awx.main.models.configuration import * # noqa
|
||||
from awx.main.models.rbac import * # noqa
|
||||
from awx.main.models.user import * # noqa
|
||||
from awx.main.models.mixins import * # noqa
|
||||
from awx.main.models.notifications import * # noqa
|
||||
from awx.main.models.fact import * # noqa
|
||||
@ -43,6 +42,7 @@ User.add_to_class('get_queryset', get_user_queryset)
|
||||
User.add_to_class('can_access', check_user_access)
|
||||
User.add_to_class('accessible_by', user_accessible_by)
|
||||
User.add_to_class('accessible_objects', user_accessible_objects)
|
||||
User.add_to_class('admin_role', user_admin_role)
|
||||
|
||||
# Import signal handlers only after models have been defined.
|
||||
import awx.main.signals # noqa
|
||||
|
||||
@ -115,7 +115,7 @@ def store_initial_active_state(sender, **kwargs):
|
||||
else:
|
||||
instance._saved_active_state = True
|
||||
|
||||
def rebuild_role_ancestor_list(sender, reverse, model, instance, pk_set, **kwargs):
|
||||
def rebuild_role_ancestor_list(reverse, model, instance, pk_set, **kwargs):
|
||||
'When a role parent is added or removed, update our role hierarchy list'
|
||||
if reverse:
|
||||
for id in pk_set:
|
||||
@ -123,19 +123,16 @@ def rebuild_role_ancestor_list(sender, reverse, model, instance, pk_set, **kwarg
|
||||
else:
|
||||
instance.rebuild_role_ancestor_list()
|
||||
|
||||
def sync_superuser_status_to_rbac(sender, instance, **kwargs):
|
||||
def sync_superuser_status_to_rbac(instance, **kwargs):
|
||||
'When the is_superuser flag is changed on a user, reflect that in the membership of the System Admnistrator role'
|
||||
if instance.is_superuser:
|
||||
Role.singleton(ROLE_SINGLETON_SYSTEM_ADMINISTRATOR).members.add(instance)
|
||||
else:
|
||||
Role.singleton(ROLE_SINGLETON_SYSTEM_ADMINISTRATOR).members.remove(instance)
|
||||
|
||||
def get_user_admin_role(user):
|
||||
return Role.objects.get(content_type=ContentType.objects.get_for_model(User), object_id=user.id)
|
||||
|
||||
def create_user_role(instance, **kwargs):
|
||||
try:
|
||||
get_user_admin_role(instance)
|
||||
instance.admin_role
|
||||
except Role.DoesNotExist:
|
||||
role = Role.objects.create(
|
||||
singleton_name = '%s-admin_role' % instance.username,
|
||||
@ -149,20 +146,20 @@ def create_user_role(instance, **kwargs):
|
||||
execute=1, scm_update=1, use=1,
|
||||
)
|
||||
|
||||
def org_admin_edit_members(instance, action, model, pk_set, **kwargs):
|
||||
def org_admin_edit_members(instance, action, model, reverse, pk_set, **kwargs):
|
||||
content_type = ContentType.objects.get_for_model(Organization)
|
||||
|
||||
if instance.content_type == content_type and \
|
||||
instance.content_object.member_role.id == instance.id:
|
||||
members = model.objects.filter(pk__in=pk_set).all()
|
||||
if action == 'post_add':
|
||||
for member in members:
|
||||
user_admin_role = get_user_admin_role(member)
|
||||
instance.content_object.admin_role.children.add(user_admin_role)
|
||||
if action == 'pre_remove':
|
||||
for member in members:
|
||||
user_admin_role = get_user_admin_role(member)
|
||||
instance.content_object.admin_role.children.remove(user_admin_role)
|
||||
if reverse:
|
||||
return
|
||||
else:
|
||||
if instance.content_type == content_type and \
|
||||
instance.content_object.member_role.id == instance.id:
|
||||
items = model.objects.filter(pk__in=pk_set).all()
|
||||
for user in items:
|
||||
if action == 'post_add':
|
||||
instance.content_object.admin_role.children.add(user.admin_role)
|
||||
if action == 'pre_remove':
|
||||
instance.content_object.admin_role.children.remove(user.admin_role)
|
||||
|
||||
pre_save.connect(store_initial_active_state, sender=Host)
|
||||
post_save.connect(emit_update_inventory_on_created_or_deleted, sender=Host)
|
||||
|
||||
@ -1,96 +1,96 @@
|
||||
import pytest
|
||||
|
||||
from awx.main.migrations import _rbac as rbac
|
||||
from awx.main.models import Permission, Role
|
||||
from awx.main.models import Role
|
||||
from django.apps import apps
|
||||
from awx.main.migrations import _old_access as old_access
|
||||
|
||||
|
||||
@pytest.mark.django_db
|
||||
def test_project_user_project(user_project, project, user):
|
||||
u = user('owner')
|
||||
#@pytest.mark.django_db
|
||||
#def test_project_user_project(user_project, project, user):
|
||||
# u = user('owner')
|
||||
#
|
||||
# assert old_access.check_user_access(u, user_project.__class__, 'read', user_project)
|
||||
# assert old_access.check_user_access(u, project.__class__, 'read', project) is False
|
||||
#
|
||||
# assert user_project.accessible_by(u, {'read': True}) is False
|
||||
# assert project.accessible_by(u, {'read': True}) is False
|
||||
# migrations = rbac.migrate_projects(apps, None)
|
||||
# assert len(migrations[user_project.name]['users']) == 1
|
||||
# assert len(migrations[user_project.name]['teams']) == 0
|
||||
# assert user_project.accessible_by(u, {'read': True}) is True
|
||||
# assert project.accessible_by(u, {'read': True}) is False
|
||||
#
|
||||
#@pytest.mark.django_db
|
||||
#def test_project_accessible_by_sa(user, project):
|
||||
# u = user('systemadmin', is_superuser=True)
|
||||
# # This gets setup by a signal, but we want to test the migration which will set this up too, so remove it
|
||||
# Role.singleton('System Administrator').members.remove(u)
|
||||
#
|
||||
# assert project.accessible_by(u, {'read': True}) is False
|
||||
# rbac.migrate_organization(apps, None)
|
||||
# su_migrations = rbac.migrate_users(apps, None)
|
||||
# migrations = rbac.migrate_projects(apps, None)
|
||||
# assert len(su_migrations) == 1
|
||||
# assert len(migrations[project.name]['users']) == 0
|
||||
# assert len(migrations[project.name]['teams']) == 0
|
||||
# print(project.admin_role.ancestors.all())
|
||||
# print(project.admin_role.ancestors.all())
|
||||
# assert project.accessible_by(u, {'read': True, 'write': True}) is True
|
||||
#
|
||||
#@pytest.mark.django_db
|
||||
#def test_project_org_members(user, organization, project):
|
||||
# admin = user('orgadmin')
|
||||
# member = user('orgmember')
|
||||
#
|
||||
# assert project.accessible_by(admin, {'read': True}) is False
|
||||
# assert project.accessible_by(member, {'read': True}) is False
|
||||
#
|
||||
# organization.admin_role.members.add(admin)
|
||||
# organization.member_role.members.add(member)
|
||||
#
|
||||
# rbac.migrate_organization(apps, None)
|
||||
# migrations = rbac.migrate_projects(apps, None)
|
||||
#
|
||||
# assert len(migrations[project.name]['users']) == 0
|
||||
# assert len(migrations[project.name]['teams']) == 0
|
||||
# assert project.accessible_by(admin, {'read': True, 'write': True}) is True
|
||||
# assert project.accessible_by(member, {'read': True}) is False
|
||||
|
||||
assert old_access.check_user_access(u, user_project.__class__, 'read', user_project)
|
||||
assert old_access.check_user_access(u, project.__class__, 'read', project) is False
|
||||
#@pytest.mark.django_db
|
||||
#def test_project_team(user, team, project):
|
||||
# nonmember = user('nonmember')
|
||||
# member = user('member')
|
||||
#
|
||||
# team.users.add(member)
|
||||
# project.teams.add(team)
|
||||
#
|
||||
# assert project.accessible_by(nonmember, {'read': True}) is False
|
||||
# assert project.accessible_by(member, {'read': True}) is False
|
||||
#
|
||||
# rbac.migrate_team(apps, None)
|
||||
# rbac.migrate_organization(apps, None)
|
||||
# migrations = rbac.migrate_projects(apps, None)
|
||||
#
|
||||
# assert len(migrations[project.name]['users']) == 0
|
||||
# assert len(migrations[project.name]['teams']) == 1
|
||||
# assert project.accessible_by(member, {'read': True}) is True
|
||||
# assert project.accessible_by(nonmember, {'read': True}) is False
|
||||
|
||||
assert user_project.accessible_by(u, {'read': True}) is False
|
||||
assert project.accessible_by(u, {'read': True}) is False
|
||||
migrations = rbac.migrate_projects(apps, None)
|
||||
assert len(migrations[user_project.name]['users']) == 1
|
||||
assert len(migrations[user_project.name]['teams']) == 0
|
||||
assert user_project.accessible_by(u, {'read': True}) is True
|
||||
assert project.accessible_by(u, {'read': True}) is False
|
||||
|
||||
@pytest.mark.django_db
|
||||
def test_project_accessible_by_sa(user, project):
|
||||
u = user('systemadmin', is_superuser=True)
|
||||
# This gets setup by a signal, but we want to test the migration which will set this up too, so remove it
|
||||
Role.singleton('System Administrator').members.remove(u)
|
||||
|
||||
assert project.accessible_by(u, {'read': True}) is False
|
||||
rbac.migrate_organization(apps, None)
|
||||
su_migrations = rbac.migrate_users(apps, None)
|
||||
migrations = rbac.migrate_projects(apps, None)
|
||||
assert len(su_migrations) == 1
|
||||
assert len(migrations[project.name]['users']) == 0
|
||||
assert len(migrations[project.name]['teams']) == 0
|
||||
print(project.admin_role.ancestors.all())
|
||||
print(project.admin_role.ancestors.all())
|
||||
assert project.accessible_by(u, {'read': True, 'write': True}) is True
|
||||
|
||||
@pytest.mark.django_db
|
||||
def test_project_org_members(user, organization, project):
|
||||
admin = user('orgadmin')
|
||||
member = user('orgmember')
|
||||
|
||||
assert project.accessible_by(admin, {'read': True}) is False
|
||||
assert project.accessible_by(member, {'read': True}) is False
|
||||
|
||||
organization.admin_role.members.add(admin)
|
||||
organization.member_role.members.add(member)
|
||||
|
||||
rbac.migrate_organization(apps, None)
|
||||
migrations = rbac.migrate_projects(apps, None)
|
||||
|
||||
assert len(migrations[project.name]['users']) == 0
|
||||
assert len(migrations[project.name]['teams']) == 0
|
||||
assert project.accessible_by(admin, {'read': True, 'write': True}) is True
|
||||
assert project.accessible_by(member, {'read': True}) is False
|
||||
|
||||
@pytest.mark.django_db
|
||||
def test_project_team(user, team, project):
|
||||
nonmember = user('nonmember')
|
||||
member = user('member')
|
||||
|
||||
team.users.add(member)
|
||||
project.teams.add(team)
|
||||
|
||||
assert project.accessible_by(nonmember, {'read': True}) is False
|
||||
assert project.accessible_by(member, {'read': True}) is False
|
||||
|
||||
rbac.migrate_team(apps, None)
|
||||
rbac.migrate_organization(apps, None)
|
||||
migrations = rbac.migrate_projects(apps, None)
|
||||
|
||||
assert len(migrations[project.name]['users']) == 0
|
||||
assert len(migrations[project.name]['teams']) == 1
|
||||
assert project.accessible_by(member, {'read': True}) is True
|
||||
assert project.accessible_by(nonmember, {'read': True}) is False
|
||||
|
||||
@pytest.mark.django_db
|
||||
def test_project_explicit_permission(user, team, project, organization):
|
||||
u = user('prjuser')
|
||||
|
||||
assert old_access.check_user_access(u, project.__class__, 'read', project) is False
|
||||
|
||||
organization.users.add(u)
|
||||
p = Permission(user=u, project=project, permission_type='create', name='Perm name')
|
||||
p.save()
|
||||
|
||||
assert project.accessible_by(u, {'read': True}) is False
|
||||
|
||||
rbac.migrate_organization(apps, None)
|
||||
migrations = rbac.migrate_projects(apps, None)
|
||||
|
||||
assert len(migrations[project.name]['users']) == 1
|
||||
assert project.accessible_by(u, {'read': True}) is True
|
||||
#@pytest.mark.django_db
|
||||
#def test_project_explicit_permission(user, team, project, organization):
|
||||
# u = user('prjuser')
|
||||
#
|
||||
# assert old_access.check_user_access(u, project.__class__, 'read', project) is False
|
||||
#
|
||||
# organization.users.add(u)
|
||||
# p = Permission(user=u, project=project, permission_type='create', name='Perm name')
|
||||
# p.save()
|
||||
#
|
||||
# assert project.accessible_by(u, {'read': True}) is False
|
||||
#
|
||||
# rbac.migrate_organization(apps, None)
|
||||
# migrations = rbac.migrate_projects(apps, None)
|
||||
#
|
||||
# assert len(migrations[project.name]['users']) == 1
|
||||
# assert project.accessible_by(u, {'read': True}) is True
|
||||
|
||||
@ -1,24 +1,6 @@
|
||||
import pytest
|
||||
|
||||
from awx.main.migrations import _rbac as rbac
|
||||
from awx.main.access import TeamAccess
|
||||
from django.apps import apps
|
||||
|
||||
@pytest.mark.django_db
|
||||
def test_team_migration_user(team, user, permissions):
|
||||
u = user('user', False)
|
||||
team.users.add(u)
|
||||
team.save()
|
||||
|
||||
# This gets setup by a signal handler, but we want to test the migration, so remove the user
|
||||
team.member_role.members.remove(u)
|
||||
|
||||
assert not team.accessible_by(u, permissions['auditor'])
|
||||
|
||||
migrated = rbac.migrate_team(apps, None)
|
||||
|
||||
assert len(migrated) == 1
|
||||
assert team.accessible_by(u, permissions['auditor'])
|
||||
|
||||
@pytest.mark.django_db
|
||||
def test_team_access_superuser(team, user):
|
||||
|
||||
@ -36,9 +36,10 @@ def test_user_queryset(user):
|
||||
assert qs.count() == 1
|
||||
|
||||
@pytest.mark.django_db
|
||||
def test_user_accessible_by(user, organization):
|
||||
def test_user_accessible_objects(user, organization):
|
||||
admin = user('admin', False)
|
||||
u = user('john', False)
|
||||
assert User.accessible_objects(admin, {'read':True}).count() == 1
|
||||
|
||||
organization.member_role.members.add(u)
|
||||
organization.admin_role.members.add(admin)
|
||||
@ -46,3 +47,30 @@ def test_user_accessible_by(user, organization):
|
||||
|
||||
organization.member_role.members.remove(u)
|
||||
assert User.accessible_objects(admin, {'read':True}).count() == 1
|
||||
|
||||
@pytest.mark.django_db
|
||||
def test_org_user_admin(user, organization):
|
||||
admin = user('orgadmin')
|
||||
member = user('orgmember')
|
||||
|
||||
organization.member_role.members.add(member)
|
||||
assert not member.accessible_by(admin, {'write':True})
|
||||
|
||||
organization.admin_role.members.add(admin)
|
||||
assert member.accessible_by(admin, {'write':True})
|
||||
|
||||
organization.admin_role.members.remove(admin)
|
||||
assert not member.accessible_by(admin, {'write':True})
|
||||
|
||||
@pytest.mark.django_db
|
||||
def test_org_user_removed(user, organization):
|
||||
admin = user('orgadmin')
|
||||
member = user('orgmember')
|
||||
|
||||
organization.admin_role.members.add(admin)
|
||||
organization.member_role.members.add(member)
|
||||
|
||||
assert member.accessible_by(admin, {'write':True})
|
||||
|
||||
organization.member_role.members.remove(member)
|
||||
assert not member.accessible_by(admin, {'write':True})
|
||||
|
||||
@ -1,42 +0,0 @@
|
||||
import pytest
|
||||
|
||||
@pytest.mark.django_db
|
||||
def test_user_org_admin(user, organization):
|
||||
admin = user('orgadmin')
|
||||
member = user('orgmember')
|
||||
|
||||
member.organizations.add(organization)
|
||||
assert not member.resource.accessible_by(admin, {'write':True})
|
||||
|
||||
organization.admin_role.members.add(admin)
|
||||
assert member.resource.accessible_by(admin, {'write':True})
|
||||
|
||||
organization.admin_role.members.remove(admin)
|
||||
assert not member.resource.accessible_by(admin, {'write':True})
|
||||
|
||||
@pytest.mark.django_db
|
||||
def test_org_user_admin(user, organization):
|
||||
admin = user('orgadmin')
|
||||
member = user('orgmember')
|
||||
|
||||
organization.member_role.members.add(member)
|
||||
assert not member.resource.accessible_by(admin, {'write':True})
|
||||
|
||||
organization.admin_role.members.add(admin)
|
||||
assert member.resource.accessible_by(admin, {'write':True})
|
||||
|
||||
organization.admin_role.members.remove(admin)
|
||||
assert not member.resource.accessible_by(admin, {'write':True})
|
||||
|
||||
@pytest.mark.django_db
|
||||
def test_org_user_removed(user, organization):
|
||||
admin = user('orgadmin')
|
||||
member = user('orgmember')
|
||||
|
||||
organization.admin_role.members.add(admin)
|
||||
organization.member_role.members.add(member)
|
||||
|
||||
assert member.resource.accessible_by(admin, {'write':True})
|
||||
|
||||
organization.member_role.members.remove(member)
|
||||
assert not member.resource.accessible_by(admin, {'write':True})
|
||||
Loading…
x
Reference in New Issue
Block a user