External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-05-08 01:47:35 -02:30
Code Issues Packages Projects Releases Wiki Activity

added Credential.migrate_to_rbac and tests

Browse Source
This commit is contained in:
Wayne Witzel III
2016-02-05 08:47:15 -05:00
parent b903726ddb
commit 58a603bac1
3 changed files with 73 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
awx/main/models/credential.py
View File

@@ -156,19 +156,16 @@ class Credential(PasswordFieldsModel, CommonModelNameNotUnique, ResourceMixin):
help_text=_('Vault password (or "ASK" to prompt the user).'), help_text=_('Vault password (or "ASK" to prompt the user).'),
) )
owner_role = ImplicitRoleField( owner_role = ImplicitRoleField(
role_name='Credential Owner', role_name='Credential Owner',
parent_role=[ parent_role='team.admin_role',
'user.user_role',
'team.admin_role'
],
resource_field='resource', resource_field='resource',
permissions = { 'all': True } permissions = { 'all': True }
) )
usage_role = ImplicitRoleField( usage_role = ImplicitRoleField(
role_name='Credential User', role_name='Credential User',
resource_field='resource', resource_field='resource',
parent_role= 'team.member_role', parent_role= 'team.member_role',
permissions = { 'usage': True } permissions = { 'use': True }
) )
@property @property
@@ -366,6 +363,15 @@ class Credential(PasswordFieldsModel, CommonModelNameNotUnique, ResourceMixin):
update_fields.append('cloud') update_fields.append('cloud')
super(Credential, self).save(*args, **kwargs) super(Credential, self).save(*args, **kwargs)
def migrate_to_rbac(self):
if self.user:
self.owner_role.members.add(self.user)
return [self.user]
elif self.team:
self.owner_role.parents.add(self.team.admin_role)
self.usage_role.parents.add(self.team.member_role)
return [self.team]
def validate_ssh_private_key(data): def validate_ssh_private_key(data):
"""Validate that the given SSH private key or certificate is, """Validate that the given SSH private key or certificate is,
in fact, valid. in fact, valid.

17
awx/main/tests/functional/conftest.py
View File

@@ -1,6 +1,10 @@
import pytest import pytest
from awx.main.models.organization import Organization from awx.main.models.credential import Credential
from awx.main.models.organization import (
Organization,
Team,
)
from django.contrib.auth.models import User from django.contrib.auth.models import User
@pytest.fixture @pytest.fixture
@@ -14,10 +18,18 @@ def user():
return user return user
return u return u
@pytest.fixture
def team(organization):
return Team.objects.create(organization=organization, name='test-team')
@pytest.fixture @pytest.fixture
def organization(): def organization():
return Organization.objects.create(name="test-org", description="test-org-desc") return Organization.objects.create(name="test-org", description="test-org-desc")
@pytest.fixture
def credential():
return Credential.objects.create(kind='aws', name='test-cred')
@pytest.fixture @pytest.fixture
def permissions(): def permissions():
return { return {
@@ -26,5 +38,8 @@ def permissions():
'auditor':{'read':True, 'create':False, 'write':False, 'auditor':{'read':True, 'create':False, 'write':False,
'update':False, 'delete':False, 'scm_update':False, 'execute':False, 'use':False,}, 'update':False, 'delete':False, 'scm_update':False, 'execute':False, 'use':False,},
'usage':{'read':False, 'create':False, 'write':False,
'update':False, 'delete':False, 'scm_update':False, 'execute':False, 'use':True,},
} }

44
awx/main/tests/functional/test_rbac_credential.py Normal file
View File

@@ -0,0 +1,44 @@
import pytest
@pytest.mark.django_db
def test_credential_migration_user(credential, user, permissions):
u = user('user', False)
credential.user = u
migrated = credential.migrate_to_rbac()
assert len(migrated) == 1
assert credential.accessible_by(u, permissions['admin'])
@pytest.mark.django_db
def test_credential_usage_role(credential, user, permissions):
u = user('user', False)
credential.usage_role.members.add(u)
assert credential.accessible_by(u, permissions['usage'])
@pytest.mark.django_db
def test_credential_migration_team_member(credential, team, user, permissions):
u = user('user', False)
team.admin_role.members.add(u)
credential.team = team
# No permissions pre-migration
assert credential.accessible_by(u, permissions['admin']) == False
migrated = credential.migrate_to_rbac()
# Admin permissions post migration
assert len(migrated) == 1
assert credential.accessible_by(u, permissions['admin'])
@pytest.mark.django_db
def test_credential_migration_team_admin(credential, team, user, permissions):
u = user('user', False)
team.member_role.members.add(u)
credential.team = team
# No permissions pre-migration
assert credential.accessible_by(u, permissions['usage']) == False
# Usage permissions post migration
migrated = credential.migrate_to_rbac()
assert len(migrated) == 1
assert credential.accessible_by(u, permissions['usage'])