External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-05-07 17:37:37 -02:30
Code Issues Packages Projects Releases Wiki Activity

add tests & correct auditor permissions

Browse Source
This commit is contained in:
adamscmRH
2018-04-02 16:49:23 -04:00
parent e9a128138a
commit 9ef1fce5e1
2 changed files with 59 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
awx/main/access.py
View File

@@ -604,17 +604,14 @@ class OAuth2ApplicationAccess(BaseAccess):
return False return False
def can_delete(self, obj): def can_delete(self, obj):
if obj.organization in self.user.admin_of_organizations or self.user.is_superuser: return obj.organization in self.user.admin_of_organizations or self.user.is_superuser
return True
else:
return False
def can_add(self, data): def can_add(self, data):
if self.user.is_superuser: if self.user.is_superuser:
return True return True
if not data: if not data:
return Organization.accessible_objects(self.user, 'admin_role').exists() return Organization.accessible_objects(self.user, 'admin_role').exists()
return self.check_related('organization', Organization, data, role_field='admin_role') return self.check_related('organization', Organization, data, role_field='admin_role', mandatory=True)
class OAuth2TokenAccess(BaseAccess): class OAuth2TokenAccess(BaseAccess):
@@ -625,9 +622,9 @@ class OAuth2TokenAccess(BaseAccess):
- I am the user of the token. - I am the user of the token.
I can create an OAuth2 app token when: I can create an OAuth2 app token when:
- I have the read permission of the related application. - I have the read permission of the related application.
I can read, change or delete a personal token when: I can read, change or delete a personal token when:
- - I am the user of the token
- I am the superuser
I can create an OAuth2 Personal Access Token when: I can create an OAuth2 Personal Access Token when:
- I am a user. But I can only create a PAT for myself. - I am a user. But I can only create a PAT for myself.
''' '''
@@ -641,31 +638,20 @@ class OAuth2TokenAccess(BaseAccess):
Q(admin_role__members=self.user) | Q(auditor_role__members=self.user)) Q(admin_role__members=self.user) | Q(auditor_role__members=self.user))
return self.model.objects.filter(application__organization__in=org_access_qs) | self.model.objects.filter(user__id=self.user.pk) return self.model.objects.filter(application__organization__in=org_access_qs) | self.model.objects.filter(user__id=self.user.pk)
def can_change(self, obj, data): def can_delete(self, obj):
print 'obj user:', obj.user, '\nself.user:', self.user
if (self.user.is_superuser) | (obj.user == self.user): if (self.user.is_superuser) | (obj.user == self.user):
return True return True
elif self.user.is_system_auditor:
return False
elif not obj.application: elif not obj.application:
return False return False
return self.user in obj.application.organization.admin_role return self.user in obj.application.organization.admin_role
def can_delete(self, obj): def can_change(self, obj, data):
if (self.user.is_superuser) | (obj.user == self.user): return self.can_delete(obj)
return True
elif self.user.is_system_auditor:
return False
elif not obj.application:
return False
return self.user in obj.application.organization.admin_role
def can_add(self, data): def can_add(self, data):
if 'application' in data: if 'application' in data:
app = get_object_from_data('application', OAuth2Application, data) app = get_object_from_data('application', OAuth2Application, data)
if self.user.is_system_auditor: if app is None:
return False
elif app is None:
return True return True
return OAuth2ApplicationAccess(self.user).can_read(app) return OAuth2ApplicationAccess(self.user).can_read(app)
return True return True

52
awx/main/tests/functional/test_rbac_oauth.py
View File

@@ -40,7 +40,7 @@ class TestOAuth2Application:
(2, [False, False]), (2, [False, False]),
(3, [False, False]), (3, [False, False]),
]) ])
def test_can_edit_delete( def test_can_edit_delete_app(
self, admin, org_admin, org_member, alice, user_for_access, can_access_list, organization self, admin, org_admin, org_member, alice, user_for_access, can_access_list, organization
): ):
organization.admin_role.members.add(org_admin) organization.admin_role.members.add(org_admin)
@@ -103,6 +103,54 @@ class TestOAuth2Token:
assert access.can_delete(token) is can_access assert access.can_delete(token) is can_access
def test_auditor_can_read(
self, post, admin, org_admin, org_member, alice, system_auditor, organization
):
user_list = [admin, org_admin, org_member]
can_access_list = [True, True, True]
cannot_access_list = [False, False, False]
app = Application.objects.create(
name='test app for {}'.format(admin.username), user=admin,
client_type='confidential', authorization_grant_type='password',
organization=organization
)
for user, can_access, cannot_access in zip(user_list, can_access_list, cannot_access_list):
response = post(
reverse('api:o_auth2_application_token_list', kwargs={'pk': app.pk}),
{'scope': 'read'}, user, expect=201
)
token = AccessToken.objects.get(token=response.data['token'])
access = OAuth2TokenAccess(system_auditor)
assert access.can_read(token) is can_access
assert access.can_change(token, {}) is cannot_access
assert access.can_delete(token) is cannot_access
def test_user_auditor_can_change(
self, post, org_member, org_admin, system_auditor, organization
):
app = Application.objects.create(
name='test app for {}'.format(org_admin.username), user=org_admin,
client_type='confidential', authorization_grant_type='password',
organization=organization
)
response = post(
reverse('api:o_auth2_application_token_list', kwargs={'pk': app.pk}),
{'scope': 'read'}, org_member, expect=201
)
token = AccessToken.objects.get(token=response.data['token'])
access = OAuth2TokenAccess(system_auditor)
assert access.can_read(token) is True
assert access.can_change(token, {}) is False
assert access.can_delete(token) is False
dual_user = system_auditor
organization.admin_role.members.add(dual_user)
access = OAuth2TokenAccess(dual_user)
assert access.can_read(token) is True
assert access.can_change(token, {}) is True
assert access.can_delete(token) is True
def test_can_read_change_delete_personal_token_org_member( def test_can_read_change_delete_personal_token_org_member(
self, post, admin, org_admin, org_member, alice self, post, admin, org_admin, org_member, alice
): ):
@@ -131,7 +179,7 @@ class TestOAuth2Token:
for user, can_access in zip(user_list, can_access_list): for user, can_access in zip(user_list, can_access_list):
response = post( response = post(
reverse('api:o_auth2_personal_token_list', kwargs={'pk': user.pk}), reverse('api:o_auth2_personal_token_list', kwargs={'pk': user.pk}),
{'scope': 'read', 'organization':None}, user, expect=201 {'scope': 'read', 'application':None}, user, expect=201
) )
token = AccessToken.objects.get(token=response.data['token']) token = AccessToken.objects.get(token=response.data['token'])
access = OAuth2TokenAccess(user) access = OAuth2TokenAccess(user)