Merge pull request #970 from wwitzel3/rbac

RBAC: access unit tests and new migration

awx/main/migrations/0003_rbac_changes.py

@@ -12,6 +12,7 @@ class Migration(migrations.Migration):
 
     dependencies = [
         ('taggit', '0002_auto_20150616_2121'),
+        ('contenttypes', '0002_remove_content_type_name'),
         migrations.swappable_dependency(settings.AUTH_USER_MODEL),
         ('main', '0002_v300_changes'),
     ]
@@ -26,9 +27,10 @@ class Migration(migrations.Migration):
                 ('description', models.TextField(default=b'', blank=True)),
                 ('active', models.BooleanField(default=True, editable=False)),
                 ('name', models.CharField(max_length=512)),
+                ('object_id', models.PositiveIntegerField(default=None, null=True)),
+                ('content_type', models.ForeignKey(default=None, to='contenttypes.ContentType', null=True)),
                 ('created_by', models.ForeignKey(related_name="{u'class': 'resource', u'app_label': 'main'}(class)s_created+", on_delete=django.db.models.deletion.SET_NULL, default=None, editable=False, to=settings.AUTH_USER_MODEL, null=True)),
                 ('modified_by', models.ForeignKey(related_name="{u'class': 'resource', u'app_label': 'main'}(class)s_modified+", on_delete=django.db.models.deletion.SET_NULL, default=None, editable=False, to=settings.AUTH_USER_MODEL, null=True)),
-                ('parent', models.ForeignKey(related_name='children', default=None, to='main.Resource', null=True)),
                 ('tags', taggit.managers.TaggableManager(to='taggit.Tag', through='taggit.TaggedItem', blank=True, help_text='A comma-separated list of tags.', verbose_name='Tags')),
             ],
             options={
@@ -46,6 +48,9 @@ class Migration(migrations.Migration):
                 ('active', models.BooleanField(default=True, editable=False)),
                 ('name', models.CharField(max_length=512)),
                 ('singleton_name', models.TextField(default=None, unique=True, null=True, db_index=True)),
+                ('object_id', models.PositiveIntegerField(default=None, null=True)),
+                ('ancestors', models.ManyToManyField(related_name='descendents', to='main.Role')),
+                ('content_type', models.ForeignKey(default=None, to='contenttypes.ContentType', null=True)),
                 ('created_by', models.ForeignKey(related_name="{u'class': 'role', u'app_label': 'main'}(class)s_created+", on_delete=django.db.models.deletion.SET_NULL, default=None, editable=False, to=settings.AUTH_USER_MODEL, null=True)),
                 ('members', models.ManyToManyField(related_name='roles', to=settings.AUTH_USER_MODEL)),
                 ('modified_by', models.ForeignKey(related_name="{u'class': 'role', u'app_label': 'main'}(class)s_modified+", on_delete=django.db.models.deletion.SET_NULL, default=None, editable=False, to=settings.AUTH_USER_MODEL, null=True)),
@@ -57,20 +62,6 @@ class Migration(migrations.Migration):
                 'verbose_name_plural': 'roles',
             },
         ),
-        migrations.CreateModel(
-            name='RoleHierarchy',
-            fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
-                ('created', models.DateTimeField(default=None, editable=False)),
-                ('modified', models.DateTimeField(default=None, editable=False)),
-                ('ancestor', models.ForeignKey(related_name='+', to='main.Role')),
-                ('role', models.ForeignKey(related_name='+', to='main.Role')),
-            ],
-            options={
-                'db_table': 'main_rbac_role_hierarchy',
-                'verbose_name_plural': 'role_ancestors',
-            },
-        ),
         migrations.CreateModel(
             name='RolePermission',
             fields=[
@@ -93,10 +84,10 @@ class Migration(migrations.Migration):
                 'verbose_name_plural': 'permissions',
             },
         ),
-        migrations.AddField(
-            model_name='project',
-            name='organization',
-            field=models.ForeignKey(related_name='project_list', on_delete=django.db.models.deletion.SET_NULL, to='main.Organization', null=True),
+        migrations.AlterField(
+            model_name='towersettings',
+            name='value',
+            field=models.TextField(blank=True),
         ),
         migrations.AddField(
             model_name='credential',
@@ -205,13 +196,13 @@ class Migration(migrations.Migration):
         ),
         migrations.AddField(
             model_name='organization',
-            name='resource',
-            field=awx.main.fields.ImplicitResourceField(related_name='+', to='main.Resource', null=b'True'),
+            name='member_role',
+            field=awx.main.fields.ImplicitRoleField(related_name='+', to='main.Role', null=b'True'),
         ),
         migrations.AddField(
             model_name='organization',
-            name='member_role',
-            field=awx.main.fields.ImplicitRoleField(related_name='+', to='main.Role', null=b'True'),
+            name='resource',
+            field=awx.main.fields.ImplicitResourceField(related_name='+', to='main.Resource', null=b'True'),
         ),
         migrations.AddField(
             model_name='project',

awx/main/tests/functional/test_rbac_credential.py

@@ -1,7 +1,10 @@
 import pytest
 
+from awx.main.access import CredentialAccess
+from awx.main.models.credential import Credential
 from awx.main.migrations import _rbac as rbac
 from django.apps import apps
+from django.contrib.auth.models import User
 
 @pytest.mark.django_db
 def test_credential_migration_user(credential, user, permissions):
@@ -51,3 +54,35 @@ def test_credential_migration_team_admin(credential, team, user, permissions):
     assert len(migrated) == 1
     assert credential.accessible_by(u, permissions['usage'])
 
+def test_credential_access_superuser():
+    u = User(username='admin', is_superuser=True)
+    access = CredentialAccess(u)
+    credential = Credential()
+
+    assert access.can_add(None)
+    assert access.can_change(credential, None)
+    assert access.can_delete(credential)
+
+@pytest.mark.django_db
+def test_credential_access_admin(user, organization, team, credential):
+    u = user('org-admin', False)
+    organization.admins.add(u)
+    team.organization = organization
+    team.save()
+
+    access = CredentialAccess(u)
+
+    assert access.can_add({'user': u.pk})
+    assert access.can_add({'team': team.pk})
+
+    assert not access.can_change(credential, {'user': u.pk})
+
+    # unowned credential can be deleted
+    assert access.can_delete(credential)
+
+    credential.created_by = u
+    credential.save()
+    assert not access.can_change(credential, {'user': u.pk})
+
+    team.users.add(u)
+    assert access.can_change(credential, {'user': u.pk})