External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-01-12 18:40:01 -03:30
Code Issues Packages Projects Releases Wiki Activity

New tests for user launching/relaunching with credential/inventory access

Browse Source
This commit is contained in:
AlanCoding 2016-04-26 17:03:11 -04:00
parent e381a4da85
commit 5dc17cd72f
2 changed files with 40 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
awx/main/access.py
View File

@ -875,11 +875,12 @@ class JobAccess(BaseAccess):
return self.user in obj.job_template.execute_role
inventory_access = self.user in obj.inventory.use_role
credential_access = self.user in obj.credential.use_role
org_access = self.user in obj.inventory.organization.admin_role
project_access = obj.project is None or self.user in obj.project.admin_role
return inventory_access and (org_access or project_access)
return inventory_access and credential_access and (org_access or project_access)
def can_cancel(self, obj):
return self.can_read(obj) and obj.can_cancel

39
awx/main/tests/functional/api/test_job_runtime_params.py
View File

@ -5,6 +5,7 @@ from awx.api.serializers import JobLaunchSerializer
from awx.main.models.credential import Credential
from awx.main.models.inventory import Inventory
from awx.main.models.jobs import Job, JobTemplate
from awx.main.access import JobAccess
from django.core.urlresolvers import reverse
@ -171,7 +172,8 @@ def test_job_launch_fails_without_inventory(deploy_jobtemplate, post, user):
@pytest.mark.django_db
@pytest.mark.job_runtime_vars
def test_job_launch_fails_without_inventory_access(job_template_prompts, runtime_data, machine_credential, post, user, mocker):
def test_job_launch_fails_without_inventory_or_cred_access(
job_template_prompts, runtime_data, machine_credential, post, user, mocker):
job_template = job_template_prompts(True)
common_user = user('test-user', False)
job_template.execute_role.members.add(common_user)
@ -193,6 +195,14 @@ def test_job_launch_fails_without_inventory_access(job_template_prompts, runtime
assert response.status_code == 403
assert response.data['detail'] == u'You do not have permission to perform this action.'
# Assure that giving a credential without access blocks the launch
new_cred = Credential.objects.create(name='machine-cred-you-cant-use', kind='ssh', username='test_user', password='pas4word')
response = post(reverse('api:job_template_launch', args=[job_template.pk]),
dict(credential=new_cred.pk), common_user)
assert response.status_code == 403
assert response.data['detail'] == u'You do not have permission to perform this action.'
@pytest.mark.django_db
@pytest.mark.job_runtime_vars
def test_job_relaunch_copy_vars(runtime_data, job_template_prompts, project, post, mocker):
@ -213,6 +223,33 @@ def test_job_relaunch_copy_vars(runtime_data, job_template_prompts, project, pos
assert original_job.inventory.pk == second_job.inventory.pk
assert original_job.job_tags == second_job.job_tags
@pytest.mark.django_db
@pytest.mark.job_runtime_vars
def test_job_relaunch_resource_access(runtime_data, project, user):
the_cred = Credential.objects.get(pk=runtime_data['credential'])
the_inv = Inventory.objects.get(pk=runtime_data['inventory'])
original_job = Job.objects.create(
name='existing-job', credential=the_cred, inventory=the_inv
)
ordinary_user = user('commoner', False)
inventory_user = user('user1', False)
credential_user = user('user2', False)
both_user = user('user3', False)
# Confirm that a user with inventory & credential access can launch
the_cred.use_role.members.add(both_user)
the_inv.use_role.members.add(both_user)
assert both_user.can_access(Job, 'start', original_job)
# Confirm that a user with credential access alone can not launch
the_cred.use_role.members.add(credential_user)
assert not credential_user.can_access(Job, 'start', original_job)
# Confirm that a user with inventory access alone can not launch
the_inv.use_role.members.add(inventory_user)
assert not inventory_user.can_access(Job, 'start', original_job)
@pytest.mark.django_db
def test_job_launch_JT_with_validation(machine_credential, deploy_jobtemplate):
deploy_jobtemplate.extra_vars = '{"job_template_var": 3}'