Merge pull request #3347 from wwitzel3/issue-3305

Ensure deprecated_team.org is passed to credential.
2026-01-12 02:19:58 -03:30 · 2016-08-26 09:45:38 -04:00 · 2016-08-26 09:45:38 -04:00 · fbcd14d40b
commit fbcd14d40b
parent eb70d8d32e 18e4a33404
4 changed files with 28 additions and 4 deletions
--- a/awx/main/migrations/0032_v302_credential_permissions_update.py
+++ b/awx/main/migrations/0032_v302_credential_permissions_update.py
@ -25,5 +25,6 @@ class Migration(migrations.Migration):
            name='use_role',
            field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'admin_role'], to='main.Role', null=b'True'),
        ),
+        migrations.RunPython(rbac.infer_credential_org_from_team),
        migrations.RunPython(rbac.rebuild_role_hierarchy),
    ]
--- a/awx/main/migrations/_rbac.py
+++ b/awx/main/migrations/_rbac.py
@ -489,4 +489,7 @@ def rebuild_role_hierarchy(apps, schema_editor):
        logger.info('Rebuild completed in %f seconds' % (stop - start))
        logger.info('Done.')

-
+def infer_credential_org_from_team(apps, schema_editor):
+    Credential = apps.get_model('main', "Credential")
+    for cred in Credential.objects.exclude(deprecated_team__isnull=True):
+        _update_credential_parents(cred.deprecated_team.organization, cred)
--- a/awx/main/tests/functional/api/test_credential.py
+++ b/awx/main/tests/functional/api/test_credential.py
@ -71,7 +71,6 @@ def test_create_user_credential_via_user_credentials_list_xfail(post, alice, bob
 def test_create_team_credential(post, get, team, organization, org_admin, team_member):
    response = post(reverse('api:credential_list'), {
        'team': team.id,
-        'organization': organization.id,
        'name': 'Some name',
        'username': 'someusername'
    }, org_admin)
@ -81,6 +80,9 @@ def test_create_team_credential(post, get, team, organization, org_admin, team_m
    assert response.status_code == 200
    assert response.data['count'] == 1

+    # Assure that credential's organization is implictly set to team's org
+    assert response.data['results'][0]['summary_fields']['organization']['id'] == team.organization.id
+
@pytest.mark.django_db
 def test_create_team_credential_via_team_credentials_list(post, get, team, org_admin, team_member):
    response = post(reverse('api:team_credentials_list', args=(team.pk,)), {
--- a/awx/main/tests/functional/test_rbac_credential.py
+++ b/awx/main/tests/functional/test_rbac_credential.py
@ -54,7 +54,7 @@ def test_credential_migration_team_member(credential, team, user, permissions):

    rbac.migrate_credential(apps, None)

-    # Admin permissions post migration
+    # User permissions post migration
    assert u in credential.use_role
    assert u not in credential.admin_role

@ -67,10 +67,28 @@ def test_credential_migration_team_admin(credential, team, user, permissions):

    assert u not in credential.use_role

-    # Usage permissions post migration
+    # Admin permissions post migration
    rbac.migrate_credential(apps, None)
    assert u in credential.admin_role

+@pytest.mark.django_db
+def test_credential_migration_org_auditor(credential, team, org_auditor):
+    # Team's organization is the org_auditor's org
+    credential.deprecated_team = team
+    credential.save()
+
+    # No permissions pre-migration (this happens automatically so we patch this)
+    team.admin_role.children.remove(credential.admin_role)
+    team.member_role.children.remove(credential.use_role)
+    assert org_auditor not in credential.read_role
+
+    rbac.migrate_credential(apps, None)
+    rbac.infer_credential_org_from_team(apps, None)
+
+    # Read permissions post migration
+    assert org_auditor not in credential.use_role
+    assert org_auditor in credential.read_role
+
 def test_credential_access_superuser():
    u = User(username='admin', is_superuser=True)
    access = CredentialAccess(u)