Fixed up some credential migration issues

2026-01-12 02:19:58 -03:30 · 2016-05-02 14:44:15 -04:00 · 2016-05-02 14:44:15 -04:00 · c7f2568c10
commit c7f2568c10
parent 5825737447
2 changed files with 49 additions and 29 deletions
--- a/awx/main/migrations/_rbac.py
+++ b/awx/main/migrations/_rbac.py
@ -125,8 +125,6 @@ def attrfunc(attr_path):

 def _update_credential_parents(org, cred):
    org.admin_role.children.add(cred.owner_role)
-    org.member_role.children.add(cred.use_role)
-    cred.deprecated_user, cred.deprecated_team = None, None
    cred.save()

 def _discover_credentials(instances, cred, orgfunc):
@ -158,7 +156,6 @@ def _discover_credentials(instances, cred, orgfunc):
                cred.save()

                # Unlink the old information from the new credential
-                cred.deprecated_user, cred.deprecated_team = None, None
                cred.owner_role, cred.use_role = None, None
                cred.save()

@ -172,42 +169,32 @@ def migrate_credential(apps, schema_editor):
    Credential = apps.get_model('main', "Credential")
    JobTemplate = apps.get_model('main', 'JobTemplate')
    Project = apps.get_model('main', 'Project')
-    Role = apps.get_model('main', 'Role')
-    User = apps.get_model('auth', 'User')
    InventorySource = apps.get_model('main', 'InventorySource')
-    ContentType = apps.get_model('contenttypes', "ContentType")
-    user_content_type = ContentType.objects.get_for_model(User)

    for cred in Credential.objects.iterator():
-        results = (JobTemplate.objects.filter(Q(credential=cred) | Q(cloud_credential=cred)).all() or
-                   InventorySource.objects.filter(credential=cred).all())
-        if results:
+        results = [x for x in JobTemplate.objects.filter(Q(credential=cred) | Q(cloud_credential=cred)).all()] + \
+                  [x for x in InventorySource.objects.filter(credential=cred).all()]
+        if cred.deprecated_team is not None and results:
            if len(results) == 1:
                _update_credential_parents(results[0].inventory.organization, cred)
            else:
                _discover_credentials(results, cred, attrfunc('inventory.organization'))
            logger.info(smart_text(u"added Credential(name={}, kind={}, host={}) at organization level".format(cred.name, cred.kind, cred.host)))
-            continue

        projs = Project.objects.filter(credential=cred).all()
-        if projs:
+        if cred.deprecated_team is not None and projs:
            if len(projs) == 1:
                _update_credential_parents(projs[0].organization, cred)
            else:
                _discover_credentials(projs, cred, attrfunc('organization'))
            logger.info(smart_text(u"added Credential(name={}, kind={}, host={}) at organization level".format(cred.name, cred.kind, cred.host)))
-            continue

        if cred.deprecated_team is not None:
-            cred.deprecated_team.admin_role.children.add(cred.owner_role)
-            cred.deprecated_team.member_role.children.add(cred.use_role)
-            cred.deprecated_user, cred.deprecated_team = None, None
+            cred.deprecated_team.member_role.children.add(cred.owner_role)
            cred.save()
            logger.info(smart_text(u"added Credential(name={}, kind={}, host={}) at user level".format(cred.name, cred.kind, cred.host)))
        elif cred.deprecated_user is not None:
-            user_admin_role = Role.objects.get(content_type=user_content_type, object_id=cred.deprecated_user.id)
-            user_admin_role.children.add(cred.owner_role)
-            cred.deprecated_user, cred.deprecated_team = None, None
+            cred.owner_role.members.add(cred.deprecated_user)
            cred.save()
            logger.info(smart_text(u"added Credential(name={}, kind={}, host={}) at user level".format(cred.name, cred.kind, cred.host, )))
        else:
--- a/awx/main/tests/functional/test_rbac_credential.py
+++ b/awx/main/tests/functional/test_rbac_credential.py
@ -27,7 +27,7 @@ def test_credential_use_role(credential, user, permissions):
@pytest.mark.django_db
 def test_credential_migration_team_member(credential, team, user, permissions):
    u = user('user', False)
-    team.admin_role.members.add(u)
+    team.member_role.members.add(u)
    credential.deprecated_team = team
    credential.save()

@ -91,7 +91,8 @@ def test_credential_access_admin(user, team, credential):
    assert access.can_change(credential, {'user': u.pk})

@pytest.mark.django_db
-def test_cred_job_template(user, deploy_jobtemplate):
+def test_cred_job_template_xfail(user, deploy_jobtemplate):
+    ' Personal credential migration '
    a = user('admin', False)
    org = deploy_jobtemplate.project.organization
    org.admin_role.members.add(a)
@ -102,19 +103,17 @@ def test_cred_job_template(user, deploy_jobtemplate):

    access = CredentialAccess(a)
    rbac.migrate_credential(apps, None)
-    assert access.can_change(cred, {'organization': org.pk})
-
-    org.admin_role.members.remove(a)
    assert not access.can_change(cred, {'organization': org.pk})

@pytest.mark.django_db
-def test_cred_multi_job_template_single_org(user, deploy_jobtemplate):
+def test_cred_job_template(user, team, deploy_jobtemplate):
+    ' Team credential migration => org credential '
    a = user('admin', False)
    org = deploy_jobtemplate.project.organization
    org.admin_role.members.add(a)

    cred = deploy_jobtemplate.credential
-    cred.deprecated_user = user('john', False)
+    cred.deprecated_team = team
    cred.save()

    access = CredentialAccess(a)
@ -125,8 +124,42 @@ def test_cred_multi_job_template_single_org(user, deploy_jobtemplate):
    assert not access.can_change(cred, {'organization': org.pk})

@pytest.mark.django_db
-def test_single_cred_multi_job_template_multi_org(user, organizations, credential):
+def test_cred_multi_job_template_single_org_xfail(user, deploy_jobtemplate):
+    a = user('admin', False)
+    org = deploy_jobtemplate.project.organization
+    org.admin_role.members.add(a)
+
+    cred = deploy_jobtemplate.credential
+    cred.deprecated_user = user('john', False)
+    cred.save()
+
+    access = CredentialAccess(a)
+    rbac.migrate_credential(apps, None)
+    assert not access.can_change(cred, {'organization': org.pk})
+
+@pytest.mark.django_db
+def test_cred_multi_job_template_single_org(user, team, deploy_jobtemplate):
+    a = user('admin', False)
+    org = deploy_jobtemplate.project.organization
+    org.admin_role.members.add(a)
+
+    cred = deploy_jobtemplate.credential
+    cred.deprecated_team = team
+    cred.save()
+
+    access = CredentialAccess(a)
+    rbac.migrate_credential(apps, None)
+    assert access.can_change(cred, {'organization': org.pk})
+
+    org.admin_role.members.remove(a)
+    assert not access.can_change(cred, {'organization': org.pk})
+
+@pytest.mark.django_db
+def test_single_cred_multi_job_template_multi_org(user, organizations, credential, team):
    orgs = organizations(2)
+    credential.deprecated_team = team
+    credential.save()
+
    jts = []
    for org in orgs:
        inv = org.inventories.create(name="inv-%d" % org.pk)
@ -169,7 +202,7 @@ def test_cred_inventory_source(user, inventory, credential):
    assert u not in credential.use_role

    rbac.migrate_credential(apps, None)
-    assert u in credential.use_role
+    assert u not in credential.use_role

@pytest.mark.django_db
 def test_cred_project(user, credential, project):
@ -181,7 +214,7 @@ def test_cred_project(user, credential, project):
    assert u not in credential.use_role

    rbac.migrate_credential(apps, None)
-    assert u in credential.use_role
+    assert u not in credential.use_role

@pytest.mark.django_db
 def test_cred_no_org(user, credential):