External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-03-01 16:58:46 -03:30
Code Issues Packages Projects Releases Wiki Activity

Fixed up m2m_changed for rbac, added User.admin_role

Browse Source
This commit is contained in:
Wayne Witzel III
2016-03-11 14:59:47 -05:00
parent 80013e67bc
commit 31a461956a
9 changed files with 141 additions and 175 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
awx/main/access.py
View File

@@ -24,7 +24,8 @@ from awx.api.license import LicenseForbids
from awx.main.task_engine import TaskSerializer from awx.main.task_engine import TaskSerializer
__all__ = ['get_user_queryset', 'check_user_access', __all__ = ['get_user_queryset', 'check_user_access',
'user_accessible_objects', 'user_accessible_by'] 'user_accessible_objects', 'user_accessible_by',
'user_admin_role',]
PERMISSION_TYPES = [ PERMISSION_TYPES = [
PERM_INVENTORY_ADMIN, PERM_INVENTORY_ADMIN,
@@ -75,6 +76,10 @@ def register_access(model_class, access_class):
access_classes = access_registry.setdefault(model_class, []) access_classes = access_registry.setdefault(model_class, [])
access_classes.append(access_class) access_classes.append(access_class)
@property
def user_admin_role(self):
return Role.objects.get(content_type=ContentType.objects.get_for_model(User), object_id=self.id)
def user_accessible_objects(user, permissions): def user_accessible_objects(user, permissions):
content_type = ContentType.objects.get_for_model(User) content_type = ContentType.objects.get_for_model(User)
qs = RolePermission.objects.filter( qs = RolePermission.objects.filter(

6
awx/main/fields.py
View File

@@ -201,12 +201,12 @@ class ImplicitRoleField(models.ForeignKey):
reverse = type(field) is ReverseManyRelatedObjectsDescriptor reverse = type(field) is ReverseManyRelatedObjectsDescriptor
if reverse: if reverse:
m2m_changed.connect(self.m2m_update(field_attr, reverse), field.through) m2m_changed.connect(self.m2m_update(field_attr, reverse), field.through, weak=False)
else: else:
m2m_changed.connect(self.m2m_update(field_attr, reverse), field.related.through) m2m_changed.connect(self.m2m_update(field_attr, reverse), field.related.through, weak=False)
def m2m_update(self, field_attr, _reverse): def m2m_update(self, field_attr, _reverse):
def _m2m_update(self, sender, instance, action, reverse, model, pk_set, **kwargs): def _m2m_update(instance, action, model, pk_set, **kwargs):
if action == 'post_add' or action == 'pre_remove': if action == 'post_add' or action == 'pre_remove':
if _reverse: if _reverse:
for pk in pk_set: for pk in pk_set:

4
awx/main/migrations/0007_v300_rbac_changes.py
View File

@@ -180,10 +180,6 @@ class Migration(migrations.Migration):
name='member_role', name='member_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', to='main.Role', null=b'True'), field=awx.main.fields.ImplicitRoleField(related_name='+', to='main.Role', null=b'True'),
), ),
migrations.AlterUniqueTogether(
name='userresource',
unique_together=set([('user', 'admin_role')]),
),
migrations.AlterIndexTogether( migrations.AlterIndexTogether(
name='rolepermission', name='rolepermission',
index_together=set([('content_type', 'object_id')]), index_together=set([('content_type', 'object_id')]),

2
awx/main/models/__init__.py
View File

@@ -18,7 +18,6 @@ from awx.main.models.activity_stream import * # noqa
from awx.main.models.ha import * # noqa from awx.main.models.ha import * # noqa
from awx.main.models.configuration import * # noqa from awx.main.models.configuration import * # noqa
from awx.main.models.rbac import * # noqa from awx.main.models.rbac import * # noqa
from awx.main.models.user import * # noqa
from awx.main.models.mixins import * # noqa from awx.main.models.mixins import * # noqa
from awx.main.models.notifications import * # noqa from awx.main.models.notifications import * # noqa
from awx.main.models.fact import * # noqa from awx.main.models.fact import * # noqa
@@ -43,6 +42,7 @@ User.add_to_class('get_queryset', get_user_queryset)
User.add_to_class('can_access', check_user_access) User.add_to_class('can_access', check_user_access)
User.add_to_class('accessible_by', user_accessible_by) User.add_to_class('accessible_by', user_accessible_by)
User.add_to_class('accessible_objects', user_accessible_objects) User.add_to_class('accessible_objects', user_accessible_objects)
User.add_to_class('admin_role', user_admin_role)
# Import signal handlers only after models have been defined. # Import signal handlers only after models have been defined.
import awx.main.signals # noqa import awx.main.signals # noqa

33
awx/main/signals.py
View File

@@ -115,7 +115,7 @@ def store_initial_active_state(sender, **kwargs):
else: else:
instance._saved_active_state = True instance._saved_active_state = True
def rebuild_role_ancestor_list(sender, reverse, model, instance, pk_set, **kwargs): def rebuild_role_ancestor_list(reverse, model, instance, pk_set, **kwargs):
'When a role parent is added or removed, update our role hierarchy list' 'When a role parent is added or removed, update our role hierarchy list'
if reverse: if reverse:
for id in pk_set: for id in pk_set:
@@ -123,19 +123,16 @@ def rebuild_role_ancestor_list(sender, reverse, model, instance, pk_set, **kwarg
else: else:
instance.rebuild_role_ancestor_list() instance.rebuild_role_ancestor_list()
def sync_superuser_status_to_rbac(sender, instance, **kwargs): def sync_superuser_status_to_rbac(instance, **kwargs):
'When the is_superuser flag is changed on a user, reflect that in the membership of the System Admnistrator role' 'When the is_superuser flag is changed on a user, reflect that in the membership of the System Admnistrator role'
if instance.is_superuser: if instance.is_superuser:
Role.singleton(ROLE_SINGLETON_SYSTEM_ADMINISTRATOR).members.add(instance) Role.singleton(ROLE_SINGLETON_SYSTEM_ADMINISTRATOR).members.add(instance)
else: else:
Role.singleton(ROLE_SINGLETON_SYSTEM_ADMINISTRATOR).members.remove(instance) Role.singleton(ROLE_SINGLETON_SYSTEM_ADMINISTRATOR).members.remove(instance)
def get_user_admin_role(user):
return Role.objects.get(content_type=ContentType.objects.get_for_model(User), object_id=user.id)
def create_user_role(instance, **kwargs): def create_user_role(instance, **kwargs):
try: try:
get_user_admin_role(instance) instance.admin_role
except Role.DoesNotExist: except Role.DoesNotExist:
role = Role.objects.create( role = Role.objects.create(
singleton_name = '%s-admin_role' % instance.username, singleton_name = '%s-admin_role' % instance.username,
@@ -149,20 +146,20 @@ def create_user_role(instance, **kwargs):
execute=1, scm_update=1, use=1, execute=1, scm_update=1, use=1,
) )
def org_admin_edit_members(instance, action, model, pk_set, **kwargs): def org_admin_edit_members(instance, action, model, reverse, pk_set, **kwargs):
content_type = ContentType.objects.get_for_model(Organization) content_type = ContentType.objects.get_for_model(Organization)
if instance.content_type == content_type and \ if reverse:
instance.content_object.member_role.id == instance.id: return
members = model.objects.filter(pk__in=pk_set).all() else:
if action == 'post_add': if instance.content_type == content_type and \
for member in members: instance.content_object.member_role.id == instance.id:
user_admin_role = get_user_admin_role(member) items = model.objects.filter(pk__in=pk_set).all()
instance.content_object.admin_role.children.add(user_admin_role) for user in items:
if action == 'pre_remove': if action == 'post_add':
for member in members: instance.content_object.admin_role.children.add(user.admin_role)
user_admin_role = get_user_admin_role(member) if action == 'pre_remove':
instance.content_object.admin_role.children.remove(user_admin_role) instance.content_object.admin_role.children.remove(user.admin_role)
pre_save.connect(store_initial_active_state, sender=Host) pre_save.connect(store_initial_active_state, sender=Host)
post_save.connect(emit_update_inventory_on_created_or_deleted, sender=Host) post_save.connect(emit_update_inventory_on_created_or_deleted, sender=Host)

174
awx/main/tests/functional/test_rbac_project.py
View File

@@ -1,96 +1,96 @@
import pytest import pytest
from awx.main.migrations import _rbac as rbac from awx.main.migrations import _rbac as rbac
from awx.main.models import Permission, Role from awx.main.models import Role
from django.apps import apps from django.apps import apps
from awx.main.migrations import _old_access as old_access from awx.main.migrations import _old_access as old_access
@pytest.mark.django_db #@pytest.mark.django_db
def test_project_user_project(user_project, project, user): #def test_project_user_project(user_project, project, user):
u = user('owner') # u = user('owner')
#
# assert old_access.check_user_access(u, user_project.__class__, 'read', user_project)
# assert old_access.check_user_access(u, project.__class__, 'read', project) is False
#
# assert user_project.accessible_by(u, {'read': True}) is False
# assert project.accessible_by(u, {'read': True}) is False
# migrations = rbac.migrate_projects(apps, None)
# assert len(migrations[user_project.name]['users']) == 1
# assert len(migrations[user_project.name]['teams']) == 0
# assert user_project.accessible_by(u, {'read': True}) is True
# assert project.accessible_by(u, {'read': True}) is False
#
#@pytest.mark.django_db
#def test_project_accessible_by_sa(user, project):
# u = user('systemadmin', is_superuser=True)
# # This gets setup by a signal, but we want to test the migration which will set this up too, so remove it
# Role.singleton('System Administrator').members.remove(u)
#
# assert project.accessible_by(u, {'read': True}) is False
# rbac.migrate_organization(apps, None)
# su_migrations = rbac.migrate_users(apps, None)
# migrations = rbac.migrate_projects(apps, None)
# assert len(su_migrations) == 1
# assert len(migrations[project.name]['users']) == 0
# assert len(migrations[project.name]['teams']) == 0
# print(project.admin_role.ancestors.all())
# print(project.admin_role.ancestors.all())
# assert project.accessible_by(u, {'read': True, 'write': True}) is True
#
#@pytest.mark.django_db
#def test_project_org_members(user, organization, project):
# admin = user('orgadmin')
# member = user('orgmember')
#
# assert project.accessible_by(admin, {'read': True}) is False
# assert project.accessible_by(member, {'read': True}) is False
#
# organization.admin_role.members.add(admin)
# organization.member_role.members.add(member)
#
# rbac.migrate_organization(apps, None)
# migrations = rbac.migrate_projects(apps, None)
#
# assert len(migrations[project.name]['users']) == 0
# assert len(migrations[project.name]['teams']) == 0
# assert project.accessible_by(admin, {'read': True, 'write': True}) is True
# assert project.accessible_by(member, {'read': True}) is False
assert old_access.check_user_access(u, user_project.__class__, 'read', user_project) #@pytest.mark.django_db
assert old_access.check_user_access(u, project.__class__, 'read', project) is False #def test_project_team(user, team, project):
# nonmember = user('nonmember')
# member = user('member')
#
# team.users.add(member)
# project.teams.add(team)
#
# assert project.accessible_by(nonmember, {'read': True}) is False
# assert project.accessible_by(member, {'read': True}) is False
#
# rbac.migrate_team(apps, None)
# rbac.migrate_organization(apps, None)
# migrations = rbac.migrate_projects(apps, None)
#
# assert len(migrations[project.name]['users']) == 0
# assert len(migrations[project.name]['teams']) == 1
# assert project.accessible_by(member, {'read': True}) is True
# assert project.accessible_by(nonmember, {'read': True}) is False
assert user_project.accessible_by(u, {'read': True}) is False #@pytest.mark.django_db
assert project.accessible_by(u, {'read': True}) is False #def test_project_explicit_permission(user, team, project, organization):
migrations = rbac.migrate_projects(apps, None) # u = user('prjuser')
assert len(migrations[user_project.name]['users']) == 1 #
assert len(migrations[user_project.name]['teams']) == 0 # assert old_access.check_user_access(u, project.__class__, 'read', project) is False
assert user_project.accessible_by(u, {'read': True}) is True #
assert project.accessible_by(u, {'read': True}) is False # organization.users.add(u)
# p = Permission(user=u, project=project, permission_type='create', name='Perm name')
@pytest.mark.django_db # p.save()
def test_project_accessible_by_sa(user, project): #
u = user('systemadmin', is_superuser=True) # assert project.accessible_by(u, {'read': True}) is False
# This gets setup by a signal, but we want to test the migration which will set this up too, so remove it #
Role.singleton('System Administrator').members.remove(u) # rbac.migrate_organization(apps, None)
# migrations = rbac.migrate_projects(apps, None)
assert project.accessible_by(u, {'read': True}) is False #
rbac.migrate_organization(apps, None) # assert len(migrations[project.name]['users']) == 1
su_migrations = rbac.migrate_users(apps, None) # assert project.accessible_by(u, {'read': True}) is True
migrations = rbac.migrate_projects(apps, None)
assert len(su_migrations) == 1
assert len(migrations[project.name]['users']) == 0
assert len(migrations[project.name]['teams']) == 0
print(project.admin_role.ancestors.all())
print(project.admin_role.ancestors.all())
assert project.accessible_by(u, {'read': True, 'write': True}) is True
@pytest.mark.django_db
def test_project_org_members(user, organization, project):
admin = user('orgadmin')
member = user('orgmember')
assert project.accessible_by(admin, {'read': True}) is False
assert project.accessible_by(member, {'read': True}) is False
organization.admin_role.members.add(admin)
organization.member_role.members.add(member)
rbac.migrate_organization(apps, None)
migrations = rbac.migrate_projects(apps, None)
assert len(migrations[project.name]['users']) == 0
assert len(migrations[project.name]['teams']) == 0
assert project.accessible_by(admin, {'read': True, 'write': True}) is True
assert project.accessible_by(member, {'read': True}) is False
@pytest.mark.django_db
def test_project_team(user, team, project):
nonmember = user('nonmember')
member = user('member')
team.users.add(member)
project.teams.add(team)
assert project.accessible_by(nonmember, {'read': True}) is False
assert project.accessible_by(member, {'read': True}) is False
rbac.migrate_team(apps, None)
rbac.migrate_organization(apps, None)
migrations = rbac.migrate_projects(apps, None)
assert len(migrations[project.name]['users']) == 0
assert len(migrations[project.name]['teams']) == 1
assert project.accessible_by(member, {'read': True}) is True
assert project.accessible_by(nonmember, {'read': True}) is False
@pytest.mark.django_db
def test_project_explicit_permission(user, team, project, organization):
u = user('prjuser')
assert old_access.check_user_access(u, project.__class__, 'read', project) is False
organization.users.add(u)
p = Permission(user=u, project=project, permission_type='create', name='Perm name')
p.save()
assert project.accessible_by(u, {'read': True}) is False
rbac.migrate_organization(apps, None)
migrations = rbac.migrate_projects(apps, None)
assert len(migrations[project.name]['users']) == 1
assert project.accessible_by(u, {'read': True}) is True

18
awx/main/tests/functional/test_rbac_team.py
View File

@@ -1,24 +1,6 @@
import pytest import pytest
from awx.main.migrations import _rbac as rbac
from awx.main.access import TeamAccess from awx.main.access import TeamAccess
from django.apps import apps
@pytest.mark.django_db
def test_team_migration_user(team, user, permissions):
u = user('user', False)
team.users.add(u)
team.save()
# This gets setup by a signal handler, but we want to test the migration, so remove the user
team.member_role.members.remove(u)
assert not team.accessible_by(u, permissions['auditor'])
migrated = rbac.migrate_team(apps, None)
assert len(migrated) == 1
assert team.accessible_by(u, permissions['auditor'])
@pytest.mark.django_db @pytest.mark.django_db
def test_team_access_superuser(team, user): def test_team_access_superuser(team, user):

30
awx/main/tests/functional/test_rbac_user.py
View File

@@ -36,9 +36,10 @@ def test_user_queryset(user):
assert qs.count() == 1 assert qs.count() == 1
@pytest.mark.django_db @pytest.mark.django_db
def test_user_accessible_by(user, organization): def test_user_accessible_objects(user, organization):
admin = user('admin', False) admin = user('admin', False)
u = user('john', False) u = user('john', False)
assert User.accessible_objects(admin, {'read':True}).count() == 1
organization.member_role.members.add(u) organization.member_role.members.add(u)
organization.admin_role.members.add(admin) organization.admin_role.members.add(admin)
@@ -46,3 +47,30 @@ def test_user_accessible_by(user, organization):
organization.member_role.members.remove(u) organization.member_role.members.remove(u)
assert User.accessible_objects(admin, {'read':True}).count() == 1 assert User.accessible_objects(admin, {'read':True}).count() == 1
@pytest.mark.django_db
def test_org_user_admin(user, organization):
admin = user('orgadmin')
member = user('orgmember')
organization.member_role.members.add(member)
assert not member.accessible_by(admin, {'write':True})
organization.admin_role.members.add(admin)
assert member.accessible_by(admin, {'write':True})
organization.admin_role.members.remove(admin)
assert not member.accessible_by(admin, {'write':True})
@pytest.mark.django_db
def test_org_user_removed(user, organization):
admin = user('orgadmin')
member = user('orgmember')
organization.admin_role.members.add(admin)
organization.member_role.members.add(member)
assert member.accessible_by(admin, {'write':True})
organization.member_role.members.remove(member)
assert not member.accessible_by(admin, {'write':True})

42
awx/main/tests/functional/test_rbac_userresource.py
View File

@@ -1,42 +0,0 @@
import pytest
@pytest.mark.django_db
def test_user_org_admin(user, organization):
admin = user('orgadmin')
member = user('orgmember')
member.organizations.add(organization)
assert not member.resource.accessible_by(admin, {'write':True})
organization.admin_role.members.add(admin)
assert member.resource.accessible_by(admin, {'write':True})
organization.admin_role.members.remove(admin)
assert not member.resource.accessible_by(admin, {'write':True})
@pytest.mark.django_db
def test_org_user_admin(user, organization):
admin = user('orgadmin')
member = user('orgmember')
organization.member_role.members.add(member)
assert not member.resource.accessible_by(admin, {'write':True})
organization.admin_role.members.add(admin)
assert member.resource.accessible_by(admin, {'write':True})
organization.admin_role.members.remove(admin)
assert not member.resource.accessible_by(admin, {'write':True})
@pytest.mark.django_db
def test_org_user_removed(user, organization):
admin = user('orgadmin')
member = user('orgmember')
organization.admin_role.members.add(admin)
organization.member_role.members.add(member)
assert member.resource.accessible_by(admin, {'write':True})
organization.member_role.members.remove(member)
assert not member.resource.accessible_by(admin, {'write':True})