Merge pull request #104 from AlanCoding/extra_cred_restart

Fix RBAC bugs in job relaunch with prompted extra_credentials
2026-03-02 09:18:48 -03:30 · 2017-07-31 14:59:06 -04:00
parent ff01ab063c 1722d2169b
commit 60eba9fbe2
2 changed files with 66 additions and 8 deletions
--- a/awx/main/tests/functional/test_rbac_job.py
+++ b/awx/main/tests/functional/test_rbac_job.py
@@ -149,7 +149,7 @@ class TestJobRelaunchAccess:
        assert not inventory_user.can_access(Job, 'start', job_with_links, validate_license=False)

    def test_job_relaunch_extra_credential_access(
-            self, post, inventory, project, credential, net_credential):
+            self, inventory, project, credential, net_credential):
        jt = JobTemplate.objects.create(name='testjt', inventory=inventory, project=project)
        jt.extra_credentials.add(credential)
        job = jt.create_unified_job()
@@ -164,6 +164,45 @@ class TestJobRelaunchAccess:
        job.extra_credentials.add(net_credential)
        assert not jt_user.can_access(Job, 'start', job, validate_license=False)

+    def test_prompted_extra_credential_relaunch_denied(
+            self, inventory, project, net_credential, rando):
+        jt = JobTemplate.objects.create(
+            name='testjt', inventory=inventory, project=project,
+            ask_credential_on_launch=True)
+        job = jt.create_unified_job()
+        jt.execute_role.members.add(rando)
+
+        # Job has prompted extra_credential, rando lacks permission to use it
+        job.extra_credentials.add(net_credential)
+        assert not rando.can_access(Job, 'start', job, validate_license=False)
+
+    def test_prompted_extra_credential_relaunch_allowed(
+            self, inventory, project, net_credential, rando):
+        jt = JobTemplate.objects.create(
+            name='testjt', inventory=inventory, project=project,
+            ask_credential_on_launch=True)
+        job = jt.create_unified_job()
+        jt.execute_role.members.add(rando)
+
+        # Job has prompted extra_credential, but rando can use it
+        net_credential.use_role.members.add(rando)
+        job.extra_credentials.add(net_credential)
+        assert rando.can_access(Job, 'start', job, validate_license=False)
+
+    def test_extra_credential_relaunch_recreation_permission(
+            self, inventory, project, net_credential, credential, rando):
+        jt = JobTemplate.objects.create(
+            name='testjt', inventory=inventory, project=project,
+            credential=credential, ask_credential_on_launch=True)
+        job = jt.create_unified_job()
+        project.admin_role.members.add(rando)
+        inventory.admin_role.members.add(rando)
+        credential.admin_role.members.add(rando)
+
+        # Relaunch blocked by the extra credential
+        job.extra_credentials.add(net_credential)
+        assert not rando.can_access(Job, 'start', job, validate_license=False)
+

@pytest.mark.django_db
 class TestJobAndUpdateCancels: