From 23024c8fadef1d1bea9712f652b2bebd9a0bdf75 Mon Sep 17 00:00:00 2001 From: AlanCoding Date: Wed, 24 Aug 2016 10:54:35 -0400 Subject: [PATCH 1/3] Make sure org admins can see credential after migration, comment updates on related tests add clause in test to verify automatic setting of org of new team credential --- .../tests/functional/api/test_credential.py | 4 +++- .../tests/functional/test_rbac_credential.py | 21 +++++++++++++++++-- 2 files changed, 22 insertions(+), 3 deletions(-) diff --git a/awx/main/tests/functional/api/test_credential.py b/awx/main/tests/functional/api/test_credential.py index 3c79e62e33..f1e7a2b1dd 100644 --- a/awx/main/tests/functional/api/test_credential.py +++ b/awx/main/tests/functional/api/test_credential.py @@ -71,7 +71,6 @@ def test_create_user_credential_via_user_credentials_list_xfail(post, alice, bob def test_create_team_credential(post, get, team, organization, org_admin, team_member): response = post(reverse('api:credential_list'), { 'team': team.id, - 'organization': organization.id, 'name': 'Some name', 'username': 'someusername' }, org_admin) @@ -81,6 +80,9 @@ def test_create_team_credential(post, get, team, organization, org_admin, team_m assert response.status_code == 200 assert response.data['count'] == 1 + # Assure that credential's organization is implictly set to team's org + assert response.data['results'][0]['summary_fields']['organization']['id'] == team.organization.id + @pytest.mark.django_db def test_create_team_credential_via_team_credentials_list(post, get, team, org_admin, team_member): response = post(reverse('api:team_credentials_list', args=(team.pk,)), { diff --git a/awx/main/tests/functional/test_rbac_credential.py b/awx/main/tests/functional/test_rbac_credential.py index 72ba6397ae..29c50f73e7 100644 --- a/awx/main/tests/functional/test_rbac_credential.py +++ b/awx/main/tests/functional/test_rbac_credential.py @@ -54,7 +54,7 @@ def test_credential_migration_team_member(credential, team, user, permissions): rbac.migrate_credential(apps, None) - # Admin permissions post migration + # User permissions post migration assert u in credential.use_role assert u not in credential.admin_role @@ -67,10 +67,27 @@ def test_credential_migration_team_admin(credential, team, user, permissions): assert u not in credential.use_role - # Usage permissions post migration + # Admin permissions post migration rbac.migrate_credential(apps, None) assert u in credential.admin_role +@pytest.mark.django_db +def test_credential_migration_org_auditor(credential, team, org_auditor): + # Team's organization is the org_auditor's org + credential.deprecated_team = team + credential.save() + + # No permissions pre-migration (this happens automatically so we patch this) + team.admin_role.children.remove(credential.admin_role) + team.member_role.children.remove(credential.use_role) + assert org_auditor not in credential.read_role + + rbac.migrate_credential(apps, None) + + # Read permissions post migration + assert org_auditor in credential.use_role + assert org_auditor in credential.read_role + def test_credential_access_superuser(): u = User(username='admin', is_superuser=True) access = CredentialAccess(u) From dbe3f628d4e08e45234bf8b22f2744782933664e Mon Sep 17 00:00:00 2001 From: Wayne Witzel III Date: Thu, 25 Aug 2016 13:44:55 -0400 Subject: [PATCH 2/3] ensure team organizations are assigned to credentials --- .../migrations/0032_v302_credential_permissions_update.py | 1 + awx/main/migrations/_rbac.py | 5 ++++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/awx/main/migrations/0032_v302_credential_permissions_update.py b/awx/main/migrations/0032_v302_credential_permissions_update.py index a961be6dcf..2587588e6d 100644 --- a/awx/main/migrations/0032_v302_credential_permissions_update.py +++ b/awx/main/migrations/0032_v302_credential_permissions_update.py @@ -25,5 +25,6 @@ class Migration(migrations.Migration): name='use_role', field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'admin_role'], to='main.Role', null=b'True'), ), + migrations.RunPython(rbac.infer_credential_org_from_team), migrations.RunPython(rbac.rebuild_role_hierarchy), ] diff --git a/awx/main/migrations/_rbac.py b/awx/main/migrations/_rbac.py index b60ac65691..245adc58ef 100644 --- a/awx/main/migrations/_rbac.py +++ b/awx/main/migrations/_rbac.py @@ -489,4 +489,7 @@ def rebuild_role_hierarchy(apps, schema_editor): logger.info('Rebuild completed in %f seconds' % (stop - start)) logger.info('Done.') - +def infer_credential_org_from_team(apps, schema_editor): + Credential = apps.get_model('main', "Credential") + for cred in Credential.objects.exclude(deprecated_team__isnull=True): + _update_credential_parents(cred.deprecated_team.organization, cred) From 18e4a33404607780ff95b1f735ea9c1b65fa0440 Mon Sep 17 00:00:00 2001 From: Wayne Witzel III Date: Thu, 25 Aug 2016 13:45:13 -0400 Subject: [PATCH 3/3] update test to check org_auditor access --- awx/main/tests/functional/test_rbac_credential.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/awx/main/tests/functional/test_rbac_credential.py b/awx/main/tests/functional/test_rbac_credential.py index 29c50f73e7..ae68f036d8 100644 --- a/awx/main/tests/functional/test_rbac_credential.py +++ b/awx/main/tests/functional/test_rbac_credential.py @@ -83,9 +83,10 @@ def test_credential_migration_org_auditor(credential, team, org_auditor): assert org_auditor not in credential.read_role rbac.migrate_credential(apps, None) + rbac.infer_credential_org_from_team(apps, None) # Read permissions post migration - assert org_auditor in credential.use_role + assert org_auditor not in credential.use_role assert org_auditor in credential.read_role def test_credential_access_superuser():