Merge branch 'stable' into devel

* stable: (24 commits) Updating changelogs for 3.0.2 release fixing deprecated_team.organization credential migration Fix issue when installing bundled ansible on el6 fixed localed date stuff update test to check org_auditor access ensure team organizations are assigned to credentials temporarily pin the pytest version until the ldap error can be fixed fixed locale fix date locale angular scheduler Make sure org admins can see credential after migration, comment updates on related tests add clause in test to verify automatic setting of org of new team credential Update team admin credential migration test to current state-of-knowledge fix ng-toast rel, resolves #3197 (#3316) allow users to edit their first and last name Revert "Prevent ignored task from being displayed as failing." Revert "Modify job event save behavior" fixing old tests for new user creation permissions Clean venv on 'make clean' Resolve KeyError by coercing instance_id to a str Update cloudforms dynamic inventory Update foreman inventory script ...
2026-05-17 06:17:36 -02:30 · 2016-08-31 14:34:52 -04:00
parent 0007df0976 48e15d98b5
commit f988877bae
16 changed files with 586 additions and 173 deletions
--- a/awx/main/tests/functional/api/test_credential.py
+++ b/awx/main/tests/functional/api/test_credential.py
@@ -71,7 +71,6 @@ def test_create_user_credential_via_user_credentials_list_xfail(post, alice, bob
 def test_create_team_credential(post, get, team, organization, org_admin, team_member):
    response = post(reverse('api:credential_list'), {
        'team': team.id,
-        'organization': organization.id,
        'name': 'Some name',
        'username': 'someusername'
    }, org_admin)
@@ -81,6 +80,9 @@ def test_create_team_credential(post, get, team, organization, org_admin, team_m
    assert response.status_code == 200
    assert response.data['count'] == 1

+    # Assure that credential's organization is implictly set to team's org
+    assert response.data['results'][0]['summary_fields']['organization']['id'] == team.organization.id
+
@pytest.mark.django_db
 def test_create_team_credential_via_team_credentials_list(post, get, team, org_admin, team_member):
    response = post(reverse('api:team_credentials_list', args=(team.pk,)), {
--- a/awx/main/tests/functional/test_rbac_credential.py
+++ b/awx/main/tests/functional/test_rbac_credential.py
@@ -54,21 +54,40 @@ def test_credential_migration_team_member(credential, team, user, permissions):

    rbac.migrate_credential(apps, None)

-    # Admin permissions post migration
+    # User permissions post migration
    assert u in credential.use_role
+    assert u not in credential.admin_role

@pytest.mark.django_db
 def test_credential_migration_team_admin(credential, team, user, permissions):
    u = user('user', False)
-    team.member_role.members.add(u)
+    team.admin_role.members.add(u)
    credential.deprecated_team = team
    credential.save()

    assert u not in credential.use_role

-    # Usage permissions post migration
+    # Admin permissions post migration
    rbac.migrate_credential(apps, None)
-    assert u in credential.use_role
+    assert u in credential.admin_role
+
+@pytest.mark.django_db
+def test_credential_migration_org_auditor(credential, team, org_auditor):
+    # Team's organization is the org_auditor's org
+    credential.deprecated_team = team
+    credential.save()
+
+    # No permissions pre-migration (this happens automatically so we patch this)
+    team.admin_role.children.remove(credential.admin_role)
+    team.member_role.children.remove(credential.use_role)
+    assert org_auditor not in credential.read_role
+
+    rbac.migrate_credential(apps, None)
+    rbac.infer_credential_org_from_team(apps, None)
+
+    # Read permissions post migration
+    assert org_auditor not in credential.use_role
+    assert org_auditor in credential.read_role

 def test_credential_access_superuser():
    u = User(username='admin', is_superuser=True)
--- a/awx/main/tests/old/users.py
+++ b/awx/main/tests/old/users.py
@@ -192,8 +192,12 @@ class UsersTest(BaseTest):
        self.post(url, expect=403, data=new_user, auth=self.get_other_credentials())
        self.post(url, expect=201, data=new_user, auth=self.get_super_credentials())
        self.post(url, expect=400, data=new_user, auth=self.get_super_credentials())
-        self.post(url, expect=201, data=new_user2, auth=self.get_normal_credentials())
-        self.post(url, expect=400, data=new_user2, auth=self.get_normal_credentials())
+        # org admin cannot create orphaned users
+        self.post(url, expect=403, data=new_user2, auth=self.get_normal_credentials())
+        # org admin can create org users
+        org_url = reverse('api:organization_users_list', args=(self.organizations[0].pk,))
+        self.post(org_url, expect=201, data=new_user2, auth=self.get_normal_credentials())
+        self.post(org_url, expect=400, data=new_user2, auth=self.get_normal_credentials())
        # Normal user cannot add users after his org is marked inactive.
        self.organizations[0].delete()
        new_user3 = dict(username='blippy3')
@@ -325,9 +329,9 @@ class UsersTest(BaseTest):
        detail_url = reverse('api:user_detail', args=(self.other_django_user.pk,))
        data = self.get(detail_url, expect=200, auth=self.get_other_credentials())

-        # can't change first_name, last_name, etc
+        # can change first_name, last_name, etc
        data['last_name'] = "NewLastName"
-        self.put(detail_url, data, expect=403, auth=self.get_other_credentials())
+        self.put(detail_url, data, expect=200, auth=self.get_other_credentials())

        # can't change username
        data['username'] = 'newUsername'
@@ -367,23 +371,20 @@ class UsersTest(BaseTest):
        url = reverse('api:user_list')
        data  = dict(username='username',  password='password')
        data2 = dict(username='username2', password='password2')
-        data = self.post(url, expect=201, data=data, auth=self.get_normal_credentials())

+        # but a regular user cannot create users
+        self.post(url, expect=403, data=data2, auth=self.get_other_credentials())
+        # org admins cannot create orphaned users
+        self.post(url, expect=403, data=data2, auth=self.get_normal_credentials())
+
+        # a super user can create new users
+        self.post(url, expect=201, data=data, auth=self.get_super_credentials())
        # verify that the login works...
        self.get(url, expect=200, auth=('username', 'password'))

-        # but a regular user cannot
-        data = self.post(url, expect=403, data=data2, auth=self.get_other_credentials())
-
-        # a super user can also create new users
-        data = self.post(url, expect=201, data=data2, auth=self.get_super_credentials())
-
-        # verify that the login works
-        self.get(url, expect=200, auth=('username2', 'password2'))
-
        # verify that if you post a user with a pk, you do not alter that user's password info
        mod = dict(id=self.super_django_user.pk, username='change', password='change')
-        data = self.post(url, expect=201, data=mod, auth=self.get_super_credentials())
+        self.post(url, expect=201, data=mod, auth=self.get_super_credentials())
        orig = User.objects.get(pk=self.super_django_user.pk)
        self.assertTrue(orig.username != 'change')