From eb140d9e69c7d90420c395a81ddd7cad0ba8e9e8 Mon Sep 17 00:00:00 2001 From: Ryan Petrello Date: Tue, 14 Nov 2017 16:21:05 -0500 Subject: [PATCH] fix a permissions bug for credentials specified at JT launch time hat tip to @alancoding for spotting this one --- awx/api/views.py | 12 ++++++--- .../test_deprecated_credential_assignment.py | 27 +++++++++++++++++++ .../functional/api/test_job_runtime_params.py | 2 +- 3 files changed, 36 insertions(+), 5 deletions(-) diff --git a/awx/api/views.py b/awx/api/views.py index b873c883f1..3dbb18db29 100644 --- a/awx/api/views.py +++ b/awx/api/views.py @@ -2797,10 +2797,14 @@ class JobTemplateLaunch(RetrieveAPIView): if request.user not in use_role: raise PermissionDenied() - for cred in prompted_fields.get('credentials', []): - new_credential = get_object_or_400(Credential, pk=cred) - if request.user not in new_credential.use_role: - raise PermissionDenied() + # For credentials that are _added_ via launch parameters, ensure the + # launching user has access + current_credentials = set(obj.credentials.values_list('id', flat=True)) + for new_cred in Credential.objects.filter(id__in=prompted_fields.get('credentials', [])): + if new_cred.pk not in current_credentials and request.user not in new_cred.use_role: + raise PermissionDenied(_( + "You do not have access to credential {}".format(new_cred.name) + )) new_job = obj.create_unified_job(**prompted_fields) result = new_job.signal_start(**passwords) diff --git a/awx/main/tests/functional/api/test_deprecated_credential_assignment.py b/awx/main/tests/functional/api/test_deprecated_credential_assignment.py index 1527100c1c..0686f3b173 100644 --- a/awx/main/tests/functional/api/test_deprecated_credential_assignment.py +++ b/awx/main/tests/functional/api/test_deprecated_credential_assignment.py @@ -338,3 +338,30 @@ def test_extra_creds_prompted_at_launch(get, post, job_template, admin, net_cred def test_invalid_mixed_credentials_specification(get, post, job_template, admin, net_credential): url = reverse('api:job_template_launch', kwargs={'pk': job_template.pk}) post(url, {'credentials': [net_credential.pk], 'extra_credentials': [net_credential.pk]}, admin, expect=400) + + +@pytest.mark.django_db +def test_rbac_default_credential_usage(get, post, job_template, alice, machine_credential): + job_template.credentials.add(machine_credential) + job_template.execute_role.members.add(alice) + job_template.save() + + # alice can launch; she's not adding any _new_ credentials, and she has + # execute access to the JT + url = reverse('api:job_template_launch', kwargs={'pk': job_template.pk}) + post(url, {'credential': machine_credential.pk}, alice, expect=201) + + # make (copy) a _new_ SSH cred + new_cred = machine_credential + new_cred.pk = None + new_cred.save() + + # alice is attempting to launch with a *different* SSH cred, but + # she does not have access to it, so she cannot launch + url = reverse('api:job_template_launch', kwargs={'pk': job_template.pk}) + post(url, {'credential': new_cred.pk}, alice, expect=403) + + # if alice has gains access to the credential, she *can* launch + new_cred.use_role.members.add(alice) + url = reverse('api:job_template_launch', kwargs={'pk': job_template.pk}) + post(url, {'credential': new_cred.pk}, alice, expect=201) diff --git a/awx/main/tests/functional/api/test_job_runtime_params.py b/awx/main/tests/functional/api/test_job_runtime_params.py index 6214db94a8..cd9d13df86 100644 --- a/awx/main/tests/functional/api/test_job_runtime_params.py +++ b/awx/main/tests/functional/api/test_job_runtime_params.py @@ -237,7 +237,7 @@ def test_job_launch_fails_without_credential_access(job_template_prompts, runtim response = post(reverse('api:job_template_launch', kwargs={'pk':job_template.pk}), dict(credentials=runtime_data['credentials']), rando, expect=403) - assert response.data['detail'] == u'You do not have permission to perform this action.' + assert response.data['detail'] == u'You do not have access to credential runtime-cred' @pytest.mark.django_db