Merge pull request #3347 from wwitzel3/issue-3305

Ensure deprecated_team.org is passed to credential.

awx/main/migrations/0032_v302_credential_permissions_update.py

@@ -25,5 +25,6 @@ class Migration(migrations.Migration):
             name='use_role',
             field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'admin_role'], to='main.Role', null=b'True'),
         ),
+        migrations.RunPython(rbac.infer_credential_org_from_team),
         migrations.RunPython(rbac.rebuild_role_hierarchy),
     ]

awx/main/migrations/_rbac.py

@@ -489,4 +489,7 @@ def rebuild_role_hierarchy(apps, schema_editor):
         logger.info('Rebuild completed in %f seconds' % (stop - start))
         logger.info('Done.')
 
-
+def infer_credential_org_from_team(apps, schema_editor):
+    Credential = apps.get_model('main', "Credential")
+    for cred in Credential.objects.exclude(deprecated_team__isnull=True):
+        _update_credential_parents(cred.deprecated_team.organization, cred)

awx/main/tests/functional/api/test_credential.py

@@ -71,7 +71,6 @@ def test_create_user_credential_via_user_credentials_list_xfail(post, alice, bob
 def test_create_team_credential(post, get, team, organization, org_admin, team_member):
     response = post(reverse('api:credential_list'), {
         'team': team.id,
-        'organization': organization.id,
         'name': 'Some name',
         'username': 'someusername'
     }, org_admin)
@@ -81,6 +80,9 @@ def test_create_team_credential(post, get, team, organization, org_admin, team_m
     assert response.status_code == 200
     assert response.data['count'] == 1
 
+    # Assure that credential's organization is implictly set to team's org
+    assert response.data['results'][0]['summary_fields']['organization']['id'] == team.organization.id
+
 @pytest.mark.django_db
 def test_create_team_credential_via_team_credentials_list(post, get, team, org_admin, team_member):
     response = post(reverse('api:team_credentials_list', args=(team.pk,)), {

awx/main/tests/functional/test_rbac_credential.py

@@ -54,7 +54,7 @@ def test_credential_migration_team_member(credential, team, user, permissions):
 
     rbac.migrate_credential(apps, None)
 
-    # Admin permissions post migration
+    # User permissions post migration
     assert u in credential.use_role
     assert u not in credential.admin_role
 
@@ -67,10 +67,28 @@ def test_credential_migration_team_admin(credential, team, user, permissions):
 
     assert u not in credential.use_role
 
-    # Usage permissions post migration
+    # Admin permissions post migration
     rbac.migrate_credential(apps, None)
     assert u in credential.admin_role
 
+@pytest.mark.django_db
+def test_credential_migration_org_auditor(credential, team, org_auditor):
+    # Team's organization is the org_auditor's org
+    credential.deprecated_team = team
+    credential.save()
+
+    # No permissions pre-migration (this happens automatically so we patch this)
+    team.admin_role.children.remove(credential.admin_role)
+    team.member_role.children.remove(credential.use_role)
+    assert org_auditor not in credential.read_role
+
+    rbac.migrate_credential(apps, None)
+    rbac.infer_credential_org_from_team(apps, None)
+
+    # Read permissions post migration
+    assert org_auditor not in credential.use_role
+    assert org_auditor in credential.read_role
+
 def test_credential_access_superuser():
     u = User(username='admin', is_superuser=True)
     access = CredentialAccess(u)