From c7f2568c100b214625dce0a4e0db042ce74bea23 Mon Sep 17 00:00:00 2001 From: Akita Noek Date: Mon, 2 May 2016 14:44:15 -0400 Subject: [PATCH] Fixed up some credential migration issues --- awx/main/migrations/_rbac.py | 25 +++------ .../tests/functional/test_rbac_credential.py | 53 +++++++++++++++---- 2 files changed, 49 insertions(+), 29 deletions(-) diff --git a/awx/main/migrations/_rbac.py b/awx/main/migrations/_rbac.py index 706f8dee98..7f98e51acc 100644 --- a/awx/main/migrations/_rbac.py +++ b/awx/main/migrations/_rbac.py @@ -125,8 +125,6 @@ def attrfunc(attr_path): def _update_credential_parents(org, cred): org.admin_role.children.add(cred.owner_role) - org.member_role.children.add(cred.use_role) - cred.deprecated_user, cred.deprecated_team = None, None cred.save() def _discover_credentials(instances, cred, orgfunc): @@ -158,7 +156,6 @@ def _discover_credentials(instances, cred, orgfunc): cred.save() # Unlink the old information from the new credential - cred.deprecated_user, cred.deprecated_team = None, None cred.owner_role, cred.use_role = None, None cred.save() @@ -172,42 +169,32 @@ def migrate_credential(apps, schema_editor): Credential = apps.get_model('main', "Credential") JobTemplate = apps.get_model('main', 'JobTemplate') Project = apps.get_model('main', 'Project') - Role = apps.get_model('main', 'Role') - User = apps.get_model('auth', 'User') InventorySource = apps.get_model('main', 'InventorySource') - ContentType = apps.get_model('contenttypes', "ContentType") - user_content_type = ContentType.objects.get_for_model(User) for cred in Credential.objects.iterator(): - results = (JobTemplate.objects.filter(Q(credential=cred) | Q(cloud_credential=cred)).all() or - InventorySource.objects.filter(credential=cred).all()) - if results: + results = [x for x in JobTemplate.objects.filter(Q(credential=cred) | Q(cloud_credential=cred)).all()] + \ + [x for x in InventorySource.objects.filter(credential=cred).all()] + if cred.deprecated_team is not None and results: if len(results) == 1: _update_credential_parents(results[0].inventory.organization, cred) else: _discover_credentials(results, cred, attrfunc('inventory.organization')) logger.info(smart_text(u"added Credential(name={}, kind={}, host={}) at organization level".format(cred.name, cred.kind, cred.host))) - continue projs = Project.objects.filter(credential=cred).all() - if projs: + if cred.deprecated_team is not None and projs: if len(projs) == 1: _update_credential_parents(projs[0].organization, cred) else: _discover_credentials(projs, cred, attrfunc('organization')) logger.info(smart_text(u"added Credential(name={}, kind={}, host={}) at organization level".format(cred.name, cred.kind, cred.host))) - continue if cred.deprecated_team is not None: - cred.deprecated_team.admin_role.children.add(cred.owner_role) - cred.deprecated_team.member_role.children.add(cred.use_role) - cred.deprecated_user, cred.deprecated_team = None, None + cred.deprecated_team.member_role.children.add(cred.owner_role) cred.save() logger.info(smart_text(u"added Credential(name={}, kind={}, host={}) at user level".format(cred.name, cred.kind, cred.host))) elif cred.deprecated_user is not None: - user_admin_role = Role.objects.get(content_type=user_content_type, object_id=cred.deprecated_user.id) - user_admin_role.children.add(cred.owner_role) - cred.deprecated_user, cred.deprecated_team = None, None + cred.owner_role.members.add(cred.deprecated_user) cred.save() logger.info(smart_text(u"added Credential(name={}, kind={}, host={}) at user level".format(cred.name, cred.kind, cred.host, ))) else: diff --git a/awx/main/tests/functional/test_rbac_credential.py b/awx/main/tests/functional/test_rbac_credential.py index e48b964bc8..75bcffecb6 100644 --- a/awx/main/tests/functional/test_rbac_credential.py +++ b/awx/main/tests/functional/test_rbac_credential.py @@ -27,7 +27,7 @@ def test_credential_use_role(credential, user, permissions): @pytest.mark.django_db def test_credential_migration_team_member(credential, team, user, permissions): u = user('user', False) - team.admin_role.members.add(u) + team.member_role.members.add(u) credential.deprecated_team = team credential.save() @@ -91,7 +91,8 @@ def test_credential_access_admin(user, team, credential): assert access.can_change(credential, {'user': u.pk}) @pytest.mark.django_db -def test_cred_job_template(user, deploy_jobtemplate): +def test_cred_job_template_xfail(user, deploy_jobtemplate): + ' Personal credential migration ' a = user('admin', False) org = deploy_jobtemplate.project.organization org.admin_role.members.add(a) @@ -102,19 +103,17 @@ def test_cred_job_template(user, deploy_jobtemplate): access = CredentialAccess(a) rbac.migrate_credential(apps, None) - assert access.can_change(cred, {'organization': org.pk}) - - org.admin_role.members.remove(a) assert not access.can_change(cred, {'organization': org.pk}) @pytest.mark.django_db -def test_cred_multi_job_template_single_org(user, deploy_jobtemplate): +def test_cred_job_template(user, team, deploy_jobtemplate): + ' Team credential migration => org credential ' a = user('admin', False) org = deploy_jobtemplate.project.organization org.admin_role.members.add(a) cred = deploy_jobtemplate.credential - cred.deprecated_user = user('john', False) + cred.deprecated_team = team cred.save() access = CredentialAccess(a) @@ -125,8 +124,42 @@ def test_cred_multi_job_template_single_org(user, deploy_jobtemplate): assert not access.can_change(cred, {'organization': org.pk}) @pytest.mark.django_db -def test_single_cred_multi_job_template_multi_org(user, organizations, credential): +def test_cred_multi_job_template_single_org_xfail(user, deploy_jobtemplate): + a = user('admin', False) + org = deploy_jobtemplate.project.organization + org.admin_role.members.add(a) + + cred = deploy_jobtemplate.credential + cred.deprecated_user = user('john', False) + cred.save() + + access = CredentialAccess(a) + rbac.migrate_credential(apps, None) + assert not access.can_change(cred, {'organization': org.pk}) + +@pytest.mark.django_db +def test_cred_multi_job_template_single_org(user, team, deploy_jobtemplate): + a = user('admin', False) + org = deploy_jobtemplate.project.organization + org.admin_role.members.add(a) + + cred = deploy_jobtemplate.credential + cred.deprecated_team = team + cred.save() + + access = CredentialAccess(a) + rbac.migrate_credential(apps, None) + assert access.can_change(cred, {'organization': org.pk}) + + org.admin_role.members.remove(a) + assert not access.can_change(cred, {'organization': org.pk}) + +@pytest.mark.django_db +def test_single_cred_multi_job_template_multi_org(user, organizations, credential, team): orgs = organizations(2) + credential.deprecated_team = team + credential.save() + jts = [] for org in orgs: inv = org.inventories.create(name="inv-%d" % org.pk) @@ -169,7 +202,7 @@ def test_cred_inventory_source(user, inventory, credential): assert u not in credential.use_role rbac.migrate_credential(apps, None) - assert u in credential.use_role + assert u not in credential.use_role @pytest.mark.django_db def test_cred_project(user, credential, project): @@ -181,7 +214,7 @@ def test_cred_project(user, credential, project): assert u not in credential.use_role rbac.migrate_credential(apps, None) - assert u in credential.use_role + assert u not in credential.use_role @pytest.mark.django_db def test_cred_no_org(user, credential):