job template creation to require use_role, include network creds

2026-05-22 16:27:42 -02:30 · 2016-06-09 11:13:34 -04:00
parent 74b6ea82fb
commit a431f16953
4 changed files with 95 additions and 13 deletions
--- a/awx/main/tests/functional/test_rbac_job_templates.py
+++ b/awx/main/tests/functional/test_rbac_job_templates.py
@@ -13,6 +13,13 @@ from django.apps import apps
 from django.core.urlresolvers import reverse


+@pytest.fixture
+def jt_objects(job_template_factory):
+    objects = job_template_factory(
+        'testJT', organization='org1', project='proj1', inventory='inventory1',
+        credential='cred1', cloud_credential='aws1', network_credential='juniper1')
+    return objects
+
@pytest.mark.django_db
 def test_job_template_migration_check(credential, deploy_jobtemplate, check_jobtemplate, user):
    admin = user('admin', is_superuser=True)
@@ -159,6 +166,58 @@ def test_job_template_access_superuser(check_license, user, deploy_jobtemplate):
    assert access.can_read(deploy_jobtemplate)
    assert access.can_add({})

+@pytest.mark.django_db
+def test_job_template_access_read_level(jt_objects, rando):
+
+    access = JobTemplateAccess(rando)
+    jt_objects.project.read_role.members.add(rando)
+    jt_objects.inventory.read_role.members.add(rando)
+    jt_objects.credential.read_role.members.add(rando)
+    jt_objects.cloud_credential.read_role.members.add(rando)
+    jt_objects.network_credential.read_role.members.add(rando)
+
+    proj_pk = jt_objects.project.pk
+    assert not access.can_add(dict(inventory=jt_objects.inventory.pk, project=proj_pk))
+    assert not access.can_add(dict(credential=jt_objects.credential.pk, project=proj_pk))
+    assert not access.can_add(dict(cloud_credential=jt_objects.cloud_credential.pk, project=proj_pk))
+    assert not access.can_add(dict(network_credential=jt_objects.network_credential.pk, project=proj_pk))
+
+@pytest.mark.django_db
+def test_job_template_access_use_level(jt_objects, rando):
+
+    access = JobTemplateAccess(rando)
+    jt_objects.project.use_role.members.add(rando)
+    jt_objects.inventory.use_role.members.add(rando)
+    jt_objects.credential.use_role.members.add(rando)
+    jt_objects.cloud_credential.use_role.members.add(rando)
+    jt_objects.network_credential.use_role.members.add(rando)
+
+    proj_pk = jt_objects.project.pk
+    assert access.can_add(dict(inventory=jt_objects.inventory.pk, project=proj_pk))
+    assert access.can_add(dict(credential=jt_objects.credential.pk, project=proj_pk))
+    assert access.can_add(dict(cloud_credential=jt_objects.cloud_credential.pk, project=proj_pk))
+    assert access.can_add(dict(network_credential=jt_objects.network_credential.pk, project=proj_pk))
+
+@pytest.mark.django_db
+def test_job_template_access_org_admin(jt_objects, rando):
+    access = JobTemplateAccess(rando)
+    # Appoint this user as admin of the organization
+    jt_objects.inventory.organization.admin_role.members.add(rando)
+    # Assign organization permission in the same way the create view does
+    organization = jt_objects.inventory.organization
+    jt_objects.credential.owner_role.parents.add(organization.admin_role)
+    jt_objects.cloud_credential.owner_role.parents.add(organization.admin_role)
+    jt_objects.network_credential.owner_role.parents.add(organization.admin_role)
+
+    proj_pk = jt_objects.project.pk
+    assert access.can_add(dict(inventory=jt_objects.inventory.pk, project=proj_pk))
+    assert access.can_add(dict(credential=jt_objects.credential.pk, project=proj_pk))
+    assert access.can_add(dict(cloud_credential=jt_objects.cloud_credential.pk, project=proj_pk))
+    assert access.can_add(dict(network_credential=jt_objects.network_credential.pk, project=proj_pk))
+
+    assert access.can_read(jt_objects.job_template)
+    assert access.can_delete(jt_objects.job_template)
+
@pytest.mark.django_db
@pytest.mark.job_permissions
 def test_job_template_creator_access(project, rando, post):