mirror of
https://github.com/ansible/awx.git
synced 2026-03-15 16:07:30 -02:30
22437f80ed
* release_3.0.0: (270 commits) Inventory Manage > copy/move groups disable copy option where impossible, add to Root Group target, resolves #1749 (#2218) fixes access issue for InventoryScript.admin_role Make sure project team list is filtered for access Fix up the project teams list fix api test fix tests with refreshes adjusting Credential model and migrations adjusting API for new Credential.organization Fix Openstack inventory on Ubuntu 12 (#2318) Attach labels instead of erroring on creation if label already exists Fix system-tracking typo update test_rbac_api to new object_roles naming Fixing Credential access issue Fix an issue calling build_env for system jobs remove dead fields from Groups > Add manual source type, resovles #2288 (#2305) fixes regression on license expiresOn display, resolves #2277 (#2287) fix edit action in Jobs > Schedules tab view, resolves #2258 (#2292) Fixed several bugs with adding permissions where checkboxes weren't checked properly or were disappearing when paging was involved. specify playbook vars in a way that works with 1.9 Change ldap and other sso defaults to remove from team/admin ...
184 lines
6.3 KiB
Python
184 lines
6.3 KiB
Python
import mock
|
|
import pytest
|
|
|
|
from awx.main.access import (
|
|
BaseAccess,
|
|
JobTemplateAccess,
|
|
)
|
|
from awx.main.migrations import _rbac as rbac
|
|
from awx.main.models import Permission
|
|
from awx.main.models.jobs import JobTemplate
|
|
from django.apps import apps
|
|
|
|
from django.core.urlresolvers import reverse
|
|
|
|
|
|
@pytest.mark.django_db
|
|
def test_job_template_migration_check(credential, deploy_jobtemplate, check_jobtemplate, user):
|
|
admin = user('admin', is_superuser=True)
|
|
joe = user('joe')
|
|
|
|
credential.deprecated_user = joe
|
|
credential.save()
|
|
|
|
check_jobtemplate.project.organization.deprecated_users.add(joe)
|
|
|
|
Permission(user=joe, inventory=check_jobtemplate.inventory, permission_type='read').save()
|
|
Permission(user=joe, inventory=check_jobtemplate.inventory,
|
|
project=check_jobtemplate.project, permission_type='check').save()
|
|
|
|
|
|
rbac.migrate_users(apps, None)
|
|
rbac.migrate_organization(apps, None)
|
|
rbac.migrate_projects(apps, None)
|
|
rbac.migrate_inventory(apps, None)
|
|
|
|
assert joe in check_jobtemplate.project.read_role
|
|
assert admin in check_jobtemplate.execute_role
|
|
assert joe not in check_jobtemplate.execute_role
|
|
|
|
rbac.migrate_job_templates(apps, None)
|
|
|
|
assert admin in check_jobtemplate.execute_role
|
|
assert joe in check_jobtemplate.execute_role
|
|
assert admin in deploy_jobtemplate.execute_role
|
|
assert joe not in deploy_jobtemplate.execute_role
|
|
|
|
@pytest.mark.django_db
|
|
def test_job_template_migration_deploy(credential, deploy_jobtemplate, check_jobtemplate, user):
|
|
admin = user('admin', is_superuser=True)
|
|
joe = user('joe')
|
|
|
|
credential.deprecated_user = joe
|
|
credential.save()
|
|
|
|
deploy_jobtemplate.project.organization.deprecated_users.add(joe)
|
|
|
|
Permission(user=joe, inventory=deploy_jobtemplate.inventory, permission_type='read').save()
|
|
Permission(user=joe, inventory=deploy_jobtemplate.inventory,
|
|
project=deploy_jobtemplate.project, permission_type='run').save()
|
|
|
|
rbac.migrate_users(apps, None)
|
|
rbac.migrate_organization(apps, None)
|
|
rbac.migrate_projects(apps, None)
|
|
rbac.migrate_inventory(apps, None)
|
|
|
|
assert joe in deploy_jobtemplate.project.read_role
|
|
assert admin in deploy_jobtemplate.execute_role
|
|
assert joe not in deploy_jobtemplate.execute_role
|
|
|
|
rbac.migrate_job_templates(apps, None)
|
|
|
|
assert admin in deploy_jobtemplate.execute_role
|
|
assert joe in deploy_jobtemplate.execute_role
|
|
assert admin in check_jobtemplate.execute_role
|
|
assert joe in check_jobtemplate.execute_role
|
|
|
|
|
|
@pytest.mark.django_db
|
|
def test_job_template_team_migration_check(credential, deploy_jobtemplate, check_jobtemplate, organization, team, user):
|
|
admin = user('admin', is_superuser=True)
|
|
joe = user('joe')
|
|
team.deprecated_users.add(joe)
|
|
team.organization = organization
|
|
team.save()
|
|
|
|
credential.deprecated_team = team
|
|
credential.save()
|
|
|
|
check_jobtemplate.project.organization.deprecated_users.add(joe)
|
|
|
|
Permission(team=team, inventory=check_jobtemplate.inventory, permission_type='read').save()
|
|
Permission(team=team, inventory=check_jobtemplate.inventory,
|
|
project=check_jobtemplate.project, permission_type='check').save()
|
|
|
|
rbac.migrate_users(apps, None)
|
|
rbac.migrate_team(apps, None)
|
|
rbac.migrate_organization(apps, None)
|
|
rbac.migrate_projects(apps, None)
|
|
rbac.migrate_inventory(apps, None)
|
|
|
|
assert joe not in check_jobtemplate.read_role
|
|
assert admin in check_jobtemplate.execute_role
|
|
assert joe not in check_jobtemplate.execute_role
|
|
|
|
rbac.migrate_job_templates(apps, None)
|
|
|
|
assert admin in check_jobtemplate.execute_role
|
|
assert joe in check_jobtemplate.execute_role
|
|
|
|
assert admin in deploy_jobtemplate.execute_role
|
|
assert joe not in deploy_jobtemplate.execute_role
|
|
|
|
|
|
@pytest.mark.django_db
|
|
def test_job_template_team_deploy_migration(credential, deploy_jobtemplate, check_jobtemplate, organization, team, user):
|
|
admin = user('admin', is_superuser=True)
|
|
joe = user('joe')
|
|
team.deprecated_users.add(joe)
|
|
team.organization = organization
|
|
team.save()
|
|
|
|
credential.deprecated_team = team
|
|
credential.save()
|
|
|
|
deploy_jobtemplate.project.organization.deprecated_users.add(joe)
|
|
|
|
Permission(team=team, inventory=deploy_jobtemplate.inventory, permission_type='read').save()
|
|
Permission(team=team, inventory=deploy_jobtemplate.inventory,
|
|
project=deploy_jobtemplate.project, permission_type='run').save()
|
|
|
|
rbac.migrate_users(apps, None)
|
|
rbac.migrate_team(apps, None)
|
|
rbac.migrate_organization(apps, None)
|
|
rbac.migrate_projects(apps, None)
|
|
rbac.migrate_inventory(apps, None)
|
|
|
|
assert joe not in deploy_jobtemplate.read_role
|
|
assert admin in deploy_jobtemplate.execute_role
|
|
assert joe not in deploy_jobtemplate.execute_role
|
|
|
|
rbac.migrate_job_templates(apps, None)
|
|
|
|
assert joe in deploy_jobtemplate.read_role
|
|
assert admin in deploy_jobtemplate.execute_role
|
|
assert joe in deploy_jobtemplate.execute_role
|
|
|
|
assert admin in check_jobtemplate.execute_role
|
|
assert joe in check_jobtemplate.execute_role
|
|
|
|
|
|
@mock.patch.object(BaseAccess, 'check_license', return_value=None)
|
|
@pytest.mark.django_db
|
|
def test_job_template_access_superuser(check_license, user, deploy_jobtemplate):
|
|
# GIVEN a superuser
|
|
u = user('admin', True)
|
|
# WHEN access to a job template is checked
|
|
access = JobTemplateAccess(u)
|
|
# THEN all access checks should pass
|
|
assert access.can_read(deploy_jobtemplate)
|
|
assert access.can_add({})
|
|
|
|
@pytest.mark.django_db
|
|
@pytest.mark.job_permissions
|
|
def test_job_template_creator_access(project, rando, post):
|
|
|
|
project.admin_role.members.add(rando)
|
|
with mock.patch(
|
|
'awx.main.models.projects.ProjectOptions.playbooks',
|
|
new_callable=mock.PropertyMock(return_value=['helloworld.yml'])):
|
|
response = post(reverse('api:job_template_list', args=[]), dict(
|
|
name='newly-created-jt',
|
|
job_type='run',
|
|
ask_inventory_on_launch=True,
|
|
ask_credential_on_launch=True,
|
|
project=project.pk,
|
|
playbook='helloworld.yml'
|
|
), rando)
|
|
|
|
assert response.status_code == 201
|
|
jt_pk = response.data['id']
|
|
jt_obj = JobTemplate.objects.get(pk=jt_pk)
|
|
# Creating a JT should place the creator in the admin role
|
|
assert rando in jt_obj.admin_role
|