diff --git a/awx/api/permissions.py b/awx/api/permissions.py index 966cf95ea5..cf29f3454a 100644 --- a/awx/api/permissions.py +++ b/awx/api/permissions.py @@ -16,8 +16,8 @@ from awx.main.utils import get_object_or_400 logger = logging.getLogger('awx.api.permissions') __all__ = ['ModelAccessPermission', 'JobTemplateCallbackPermission', - 'TaskPermission', 'ProjectUpdatePermission', 'UserPermission', - 'IsSuperUser'] + 'TaskPermission', 'ProjectUpdatePermission', 'InventoryInventorySourcesUpdatePermission', + 'UserPermission', 'IsSuperUser'] class ModelAccessPermission(permissions.BasePermission): @@ -200,6 +200,12 @@ class ProjectUpdatePermission(ModelAccessPermission): return check_user_access(request.user, view.model, 'start', project) +class InventoryInventorySourcesUpdatePermission(ModelAccessPermission): + def check_post_permissions(self, request, view, obj=None): + inventory = get_object_or_400(view.model, pk=view.kwargs['pk']) + return check_user_access(request.user, view.model, 'update', inventory) + + class UserPermission(ModelAccessPermission): def check_post_permissions(self, request, view, obj=None): if not request.data: diff --git a/awx/api/serializers.py b/awx/api/serializers.py index edbd9948b8..1c64811ace 100644 --- a/awx/api/serializers.py +++ b/awx/api/serializers.py @@ -1123,6 +1123,7 @@ class InventorySerializer(BaseSerializerWithVariables): script = self.reverse('api:inventory_script_view', kwargs={'pk': obj.pk}), tree = self.reverse('api:inventory_tree_view', kwargs={'pk': obj.pk}), inventory_sources = self.reverse('api:inventory_inventory_sources_list', kwargs={'pk': obj.pk}), + update_inventory_sources = self.reverse('api:inventory_inventory_sources_update', kwargs={'pk': obj.pk}), activity_stream = self.reverse('api:inventory_activity_stream_list', kwargs={'pk': obj.pk}), job_templates = self.reverse('api:inventory_job_template_list', kwargs={'pk': obj.pk}), scan_job_templates = self.reverse('api:inventory_scan_job_template_list', kwargs={'pk': obj.pk}), diff --git a/awx/api/urls.py b/awx/api/urls.py index e3f52f6e6a..80f5eb7248 100644 --- a/awx/api/urls.py +++ b/awx/api/urls.py @@ -94,6 +94,7 @@ inventory_urls = patterns('awx.api.views', url(r'^(?P[0-9]+)/script/$', 'inventory_script_view'), url(r'^(?P[0-9]+)/tree/$', 'inventory_tree_view'), url(r'^(?P[0-9]+)/inventory_sources/$', 'inventory_inventory_sources_list'), + url(r'^(?P[0-9]+)/update_inventory_sources/$', 'inventory_inventory_sources_update'), url(r'^(?P[0-9]+)/activity_stream/$', 'inventory_activity_stream_list'), url(r'^(?P[0-9]+)/job_templates/$', 'inventory_job_template_list'), url(r'^(?P[0-9]+)/scan_job_templates/$', 'inventory_scan_job_template_list'), diff --git a/awx/api/views.py b/awx/api/views.py index 1d9152adaf..ffe53d1fb9 100644 --- a/awx/api/views.py +++ b/awx/api/views.py @@ -2405,6 +2405,51 @@ class InventoryInventorySourcesList(SubListCreateAPIView): new_in_14 = True +class InventoryInventorySourcesUpdate(RetrieveAPIView): + view_name = _('Inventory Sources Update') + + model = Inventory + serializer_class = InventorySourceUpdateSerializer + permission_classes = (InventoryInventorySourcesUpdatePermission,) + is_job_start = True + new_in_320 = True + + def retrieve(self, request, *args, **kwargs): + inventory = self.get_object() + update_data = [] + for inventory_source in inventory.inventory_sources.all(): + details = {'inventory_source': inventory_source.pk, + 'can_update': inventory_source.can_update} + update_data.append(details) + return Response(update_data) + + def post(self, request, *args, **kwargs): + inventory = self.get_object() + update_data = [] + for inventory_source in inventory.inventory_sources.all(): + details = {'inventory_source': inventory_source.pk, 'status': None} + can_update = inventory_source.can_update + project_update = False + + if inventory_source.source == 'scm' and inventory_source.update_on_project_update: + if not request.user or not request.user.can_access(Project, 'start', inventory_source.source_project): + details['status'] = 'You do not have permission to update project `{}`'.format(inventory_source.source_project.name) + can_update = False + else: + project_update = True + + if can_update: + if project_update: + details['project_update'] = inventory_source.source_project.update().id + details['status'] = 'started' + details['inventory_update'] = inventory_source.update().id + else: + if not details.get('status'): + details['status'] = 'Could not start because `can_update` returned False' + update_data.append(details) + return Response(update_data, status=status.HTTP_202_ACCEPTED) + + class InventorySourceList(ListCreateAPIView): model = InventorySource @@ -2523,7 +2568,7 @@ class InventorySourceUpdateView(RetrieveAPIView): obj = self.get_object() if obj.can_update: if obj.source == 'scm' and obj.update_on_project_update: - if not self.request.user or self.request.user.can_access(self.model, 'update', obj): + if not self.request.user or not self.request.user.can_access(Project, 'start', obj.source_project): raise PermissionDenied(detail=_( 'You do not have permission to update project `{}`.'.format(obj.source_project.name))) return self._build_update_response(obj.source_project.update(), request) diff --git a/awx/main/access.py b/awx/main/access.py index 30537234f6..c44c05fc7c 100644 --- a/awx/main/access.py +++ b/awx/main/access.py @@ -613,6 +613,10 @@ class InventoryAccess(BaseAccess): # inventory to a new organization. Otherwise, just check for admin permission. return self.check_related('organization', Organization, data, obj=obj) and self.user in obj.admin_role + @check_superuser + def can_update(self, obj): + return self.user in obj.update_role + def can_delete(self, obj): is_can_admin = self.can_admin(obj, None) if not is_can_admin: diff --git a/awx/main/tests/unit/api/test_views.py b/awx/main/tests/unit/api/test_views.py index 030150ade3..e4291e50cb 100644 --- a/awx/main/tests/unit/api/test_views.py +++ b/awx/main/tests/unit/api/test_views.py @@ -7,6 +7,7 @@ from awx.api.views import ( ApiVersionRootView, JobTemplateLabelList, JobTemplateSurveySpec, + InventoryInventorySourcesUpdate, ) @@ -81,3 +82,38 @@ class TestJobTemplateSurveySpec(object): assert response == mock_response_new # which there was a better way to do this! assert response.call_args[0][1]['spec'][0]['default'] == '$encrypted$' + + +class TestInventoryInventorySourcesUpdate: + + @pytest.mark.parametrize("can_update, can_access, is_source, is_up_on_proj, expected", [ + (True, True, "ec2", False, [{'status': 'started', 'inventory_update': 1, 'inventory_source': 1}]), + (False, True, "gce", False, [{'status': 'Could not start because `can_update` returned False', 'inventory_source': 1}]), + (True, False, "scm", True, [{'status': 'You do not have permission to update project `project`', 'inventory_source': 1}]), + ]) + def test_post(self, mocker, can_update, can_access, is_source, is_up_on_proj, expected): + class InventoryUpdate: + id = 1 + + class Project: + name = 'project' + + InventorySource = namedtuple('InventorySource', ['source', 'update_on_project_update', 'pk', 'can_update', + 'update', 'source_project']) + + class InventorySources(object): + def all(self): + return [InventorySource(pk=1, source=is_source, source_project=Project, + update_on_project_update=is_up_on_proj, + can_update=can_update, update=lambda:InventoryUpdate)] + + Inventory = namedtuple('Inventory', ['inventory_sources']) + obj = Inventory(inventory_sources=InventorySources()) + + mock_request = mocker.MagicMock() + mock_request.user.can_access.return_value = can_access + + with mocker.patch.object(InventoryInventorySourcesUpdate, 'get_object', return_value=obj): + view = InventoryInventorySourcesUpdate() + response = view.post(mock_request) + assert response.data == expected