Initial (editable) pass of adding JT.organization

This is the old version of this feature from 2019 this allows setting the organization in the data sent to the API when creating a JT, and exposes the field in the UI as well Subsequent commit changes the field from editable to read-only, but as of this commit, the machinery is not hooked up to infer it from project
2026-05-20 07:17:40 -02:30 · 2020-01-16 14:59:43 -05:00
parent 1876849d89
commit daa9282790
46 changed files with 985 additions and 377 deletions
--- a/awx/main/tests/functional/test_rbac_job_templates.py
+++ b/awx/main/tests/functional/test_rbac_job_templates.py
@@ -24,6 +24,29 @@ def test_job_template_access_superuser(check_license, user, deploy_jobtemplate):
    assert access.can_add({})


+@pytest.mark.django_db
+class TestImplicitAccess:
+    def test_org_execute(self, jt_linked, rando):
+        assert rando not in jt_linked.execute_role
+        jt_linked.organization.execute_role.members.add(rando)
+        assert rando in jt_linked.execute_role
+
+    def test_org_admin(self, jt_linked, rando):
+        assert rando not in jt_linked.execute_role
+        jt_linked.organization.job_template_admin_role.members.add(rando)
+        assert rando in jt_linked.execute_role
+
+    def test_org_auditor(self, jt_linked, rando):
+        assert rando not in jt_linked.read_role
+        jt_linked.organization.auditor_role.members.add(rando)
+        assert rando in jt_linked.read_role
+
+    def test_deprecated_inventory_read(self, jt_linked, rando):
+        assert rando not in jt_linked.read_role
+        jt_linked.inventory.organization.execute_role.members.add(rando)
+        assert rando in jt_linked.read_role
+
+
@pytest.mark.django_db
 def test_job_template_access_read_level(jt_linked, rando):
    ssh_cred = jt_linked.machine_credential
@@ -45,22 +68,21 @@ def test_job_template_access_read_level(jt_linked, rando):

@pytest.mark.django_db
 def test_job_template_access_use_level(jt_linked, rando):
-    ssh_cred = jt_linked.machine_credential
-    vault_cred = jt_linked.vault_credentials[0]
-
    access = JobTemplateAccess(rando)
    jt_linked.project.use_role.members.add(rando)
    jt_linked.inventory.use_role.members.add(rando)
-    ssh_cred.use_role.members.add(rando)
-    vault_cred.use_role.members.add(rando)
-
+    jt_linked.organization.job_template_admin_role.members.add(rando)
    proj_pk = jt_linked.project.pk
-    assert access.can_add(dict(inventory=jt_linked.inventory.pk, project=proj_pk))
-    assert access.can_add(dict(credential=ssh_cred.pk, project=proj_pk))
-    assert access.can_add(dict(vault_credential=vault_cred.pk, project=proj_pk))
+    org_pk = jt_linked.organization_id
+
+    assert access.can_change(jt_linked, {'job_type': 'check', 'project': proj_pk})
+    assert access.can_change(jt_linked, {'job_type': 'check', 'inventory': None})

    for cred in jt_linked.credentials.all():
-        assert not access.can_unattach(jt_linked, cred, 'credentials', {})
+        assert access.can_unattach(jt_linked, cred, 'credentials', {})
+
+    assert access.can_add(dict(inventory=jt_linked.inventory.pk, project=proj_pk, organization=org_pk))
+    assert access.can_add(dict(project=proj_pk, organization=org_pk))


@pytest.mark.django_db
@@ -69,22 +91,21 @@ def test_job_template_access_admin(role_names, jt_linked, rando):
    ssh_cred = jt_linked.machine_credential

    access = JobTemplateAccess(rando)
-    # Appoint this user as admin of the organization
-    #jt_linked.inventory.organization.admin_role.members.add(rando)
+
    assert not access.can_read(jt_linked)
    assert not access.can_delete(jt_linked)

-    for role_name in role_names:
-        role = getattr(jt_linked.inventory.organization, role_name)
-        role.members.add(rando)
+    # Appoint this user as admin of the organization
+    jt_linked.organization.admin_role.members.add(rando)
+    org_pk = jt_linked.organization.id

    # Assign organization permission in the same way the create view does
    organization = jt_linked.inventory.organization
    ssh_cred.admin_role.parents.add(organization.admin_role)

    proj_pk = jt_linked.project.pk
-    assert access.can_add(dict(inventory=jt_linked.inventory.pk, project=proj_pk))
-    assert access.can_add(dict(credential=ssh_cred.pk, project=proj_pk))
+    assert access.can_add(dict(inventory=jt_linked.inventory.pk, project=proj_pk, organization=org_pk))
+    assert access.can_add(dict(credential=ssh_cred.pk, project=proj_pk, organization=org_pk))

    for cred in jt_linked.credentials.all():
        assert access.can_unattach(jt_linked, cred, 'credentials', {})
@@ -148,26 +169,46 @@ class TestOrphanJobTemplate:

@pytest.mark.django_db
@pytest.mark.job_permissions
-def test_job_template_creator_access(project, rando, post):
+def test_job_template_creator_access(project, organization, rando, post):
+    project.use_role.members.add(rando)
+    organization.job_template_admin_role.members.add(rando)
+    response = post(url=reverse('api:job_template_list'), data=dict(
+        name='newly-created-jt',
+        ask_inventory_on_launch=True,
+        project=project.pk,
+        organization=organization.id,
+        playbook='helloworld.yml'
+    ), user=rando, expect=201)

-    project.admin_role.members.add(rando)
-    with mock.patch(
-            'awx.main.models.projects.ProjectOptions.playbooks',
-            new_callable=mock.PropertyMock(return_value=['helloworld.yml'])):
-        response = post(reverse('api:job_template_list'), dict(
-            name='newly-created-jt',
-            job_type='run',
-            ask_inventory_on_launch=True,
-            ask_credential_on_launch=True,
-            project=project.pk,
-            playbook='helloworld.yml'
-        ), rando)
-
-    assert response.status_code == 201
    jt_pk = response.data['id']
    jt_obj = JobTemplate.objects.get(pk=jt_pk)
    # Creating a JT should place the creator in the admin role
-    assert rando in jt_obj.admin_role
+    assert rando in jt_obj.admin_role.members.all()
+
+
+@pytest.mark.django_db
+@pytest.mark.job_permissions
+@pytest.mark.parametrize('lacking', ['project', 'inventory', 'organization'])
+def test_job_template_insufficient_creator_permissions(lacking, project, inventory, organization, rando, post):
+    if lacking != 'project':
+        project.use_role.members.add(rando)
+    else:
+        project.read_role.members.add(rando)
+    if lacking != 'organization':
+        organization.job_template_admin_role.members.add(rando)
+    else:
+        organization.member_role.members.add(rando)
+    if lacking != 'inventory':
+        inventory.use_role.members.add(rando)
+    else:
+        inventory.read_role.members.add(rando)
+    post(url=reverse('api:job_template_list'), data=dict(
+        name='newly-created-jt',
+        inventory=inventory.id,
+        project=project.pk,
+        organization=organization.id,
+        playbook='helloworld.yml'
+    ), user=rando, expect=403)


@pytest.mark.django_db
@@ -239,7 +280,7 @@ class TestJobTemplateSchedules:
@pytest.mark.django_db
 def test_jt_org_ownership_change(user, jt_linked):
    admin1 = user('admin1')
-    org1 = jt_linked.project.organization
+    org1 = jt_linked.organization
    org1.admin_role.members.add(admin1)
    a1_access = JobTemplateAccess(admin1)

@@ -254,10 +295,8 @@ def test_jt_org_ownership_change(user, jt_linked):
    assert not a2_access.can_read(jt_linked)


-    jt_linked.project.organization = org2
-    jt_linked.project.save()
-    jt_linked.inventory.organization = org2
-    jt_linked.inventory.save()
+    jt_linked.organization = org2
+    jt_linked.save()

    assert a2_access.can_read(jt_linked)
    assert not a1_access.can_read(jt_linked)