mirror of
https://github.com/ansible/awx.git
synced 2026-02-15 10:10:01 -03:30
199 lines
6.7 KiB
Python
199 lines
6.7 KiB
Python
import pytest
|
|
|
|
from awx.main.models import (
|
|
Host,
|
|
CustomInventoryScript,
|
|
Schedule,
|
|
)
|
|
from awx.main.access import (
|
|
InventoryAccess,
|
|
InventorySourceAccess,
|
|
HostAccess,
|
|
InventoryUpdateAccess,
|
|
CustomInventoryScriptAccess,
|
|
ScheduleAccess,
|
|
)
|
|
|
|
|
|
@pytest.mark.django_db
|
|
def test_custom_inv_script_access(organization, user):
|
|
u = user('user', False)
|
|
ou = user('oadm', False)
|
|
|
|
custom_inv = CustomInventoryScript.objects.create(name='test', script='test', description='test')
|
|
custom_inv.organization = organization
|
|
custom_inv.save()
|
|
assert u not in custom_inv.read_role
|
|
|
|
organization.member_role.members.add(u)
|
|
assert u in custom_inv.read_role
|
|
|
|
organization.admin_role.members.add(ou)
|
|
assert ou in custom_inv.admin_role
|
|
|
|
|
|
@pytest.fixture
|
|
def custom_inv(organization):
|
|
return CustomInventoryScript.objects.create(
|
|
name='test', script='test', description='test', organization=organization)
|
|
|
|
|
|
@pytest.mark.django_db
|
|
def test_modify_inv_script_foreign_org_admin(
|
|
org_admin, organization, organization_factory, project, custom_inv):
|
|
other_org = organization_factory('not-my-org').organization
|
|
access = CustomInventoryScriptAccess(org_admin)
|
|
assert not access.can_change(custom_inv, {'organization': other_org.pk, 'name': 'new-project'})
|
|
|
|
|
|
@pytest.mark.django_db
|
|
def test_org_member_inventory_script_permissions(org_member, organization, custom_inv):
|
|
access = CustomInventoryScriptAccess(org_member)
|
|
assert access.can_read(custom_inv)
|
|
assert not access.can_delete(custom_inv)
|
|
assert not access.can_change(custom_inv, {'name': 'ed-test'})
|
|
|
|
|
|
@pytest.mark.django_db
|
|
def test_copy_only_admin(org_member, organization, custom_inv):
|
|
custom_inv.admin_role.members.add(org_member)
|
|
access = CustomInventoryScriptAccess(org_member)
|
|
assert not access.can_copy(custom_inv)
|
|
assert access.get_user_capabilities(custom_inv, method_list=['edit', 'delete', 'copy']) == {
|
|
'edit': True,
|
|
'delete': True,
|
|
'copy': False
|
|
}
|
|
|
|
|
|
@pytest.mark.django_db
|
|
@pytest.mark.parametrize("role", ["admin_role", "inventory_admin_role"])
|
|
def test_access_admin(role, organization, inventory, user):
|
|
a = user('admin', False)
|
|
inventory.organization = organization
|
|
|
|
role = getattr(organization, role)
|
|
role.members.add(a)
|
|
|
|
access = InventoryAccess(a)
|
|
assert access.can_read(inventory)
|
|
assert access.can_add(None)
|
|
assert access.can_add({'organization': organization.id})
|
|
assert access.can_change(inventory, None)
|
|
assert access.can_change(inventory, {'organization': organization.id})
|
|
assert access.can_admin(inventory, None)
|
|
assert access.can_admin(inventory, {'organization': organization.id})
|
|
assert access.can_delete(inventory)
|
|
assert access.can_run_ad_hoc_commands(inventory)
|
|
|
|
|
|
@pytest.mark.django_db
|
|
def test_access_auditor(organization, inventory, user):
|
|
u = user('admin', False)
|
|
inventory.organization = organization
|
|
organization.auditor_role.members.add(u)
|
|
|
|
access = InventoryAccess(u)
|
|
assert access.can_read(inventory)
|
|
assert not access.can_add(None)
|
|
assert not access.can_add({'organization': organization.id})
|
|
assert not access.can_change(inventory, None)
|
|
assert not access.can_change(inventory, {'organization': organization.id})
|
|
assert not access.can_admin(inventory, None)
|
|
assert not access.can_admin(inventory, {'organization': organization.id})
|
|
assert not access.can_delete(inventory)
|
|
assert not access.can_run_ad_hoc_commands(inventory)
|
|
|
|
|
|
@pytest.mark.django_db
|
|
def test_inventory_update_org_admin(inventory_update, org_admin):
|
|
access = InventoryUpdateAccess(org_admin)
|
|
assert access.can_delete(inventory_update)
|
|
|
|
|
|
@pytest.mark.parametrize("role_field,allowed", [
|
|
(None, False),
|
|
('admin_role', True),
|
|
('update_role', False),
|
|
('adhoc_role', False),
|
|
('use_role', False)
|
|
])
|
|
@pytest.mark.django_db
|
|
def test_inventory_source_delete(inventory_source, alice, role_field, allowed):
|
|
if role_field:
|
|
getattr(inventory_source.inventory, role_field).members.add(alice)
|
|
assert allowed == InventorySourceAccess(alice).can_delete(inventory_source), '{} test failed'.format(role_field)
|
|
|
|
|
|
# See companion test in tests/functional/api/test_inventory.py::test_inventory_update_access_called
|
|
@pytest.mark.parametrize("role_field,allowed", [
|
|
(None, False),
|
|
('admin_role', True),
|
|
('update_role', True),
|
|
('adhoc_role', False),
|
|
('use_role', False)
|
|
])
|
|
@pytest.mark.django_db
|
|
def test_inventory_source_update(inventory_source, alice, role_field, allowed):
|
|
if role_field:
|
|
getattr(inventory_source.inventory, role_field).members.add(alice)
|
|
assert allowed == InventorySourceAccess(alice).can_start(inventory_source), '{} test failed'.format(role_field)
|
|
|
|
|
|
@pytest.mark.django_db
|
|
def test_host_access(organization, inventory, group, user, group_factory):
|
|
other_inventory = organization.inventories.create(name='other-inventory')
|
|
inventory_admin = user('inventory_admin', False)
|
|
|
|
inventory_admin_access = HostAccess(inventory_admin)
|
|
|
|
host = Host.objects.create(inventory=inventory, name='host1')
|
|
host.groups.add(group)
|
|
|
|
assert inventory_admin_access.can_read(host) is False
|
|
|
|
inventory.admin_role.members.add(inventory_admin)
|
|
|
|
assert inventory_admin_access.can_read(host)
|
|
|
|
group.hosts.remove(host)
|
|
|
|
assert inventory_admin_access.can_read(host)
|
|
|
|
host.inventory = other_inventory
|
|
host.save()
|
|
|
|
assert inventory_admin_access.can_read(host) is False
|
|
|
|
|
|
@pytest.mark.django_db
|
|
def test_inventory_source_credential_check(rando, inventory_source, credential):
|
|
inventory_source.inventory.admin_role.members.add(rando)
|
|
access = InventorySourceAccess(rando)
|
|
assert not access.can_attach(inventory_source, credential, 'credentials', {'id': credential.pk})
|
|
|
|
|
|
@pytest.mark.django_db
|
|
def test_inventory_source_org_admin_schedule_access(org_admin, inventory_source):
|
|
schedule = Schedule.objects.create(
|
|
unified_job_template=inventory_source,
|
|
rrule='DTSTART:20151117T050000Z RRULE:FREQ=DAILY;INTERVAL=1;COUNT=1')
|
|
access = ScheduleAccess(org_admin)
|
|
assert access.get_queryset()
|
|
assert access.can_read(schedule)
|
|
assert access.can_change(schedule, {'rrule': 'DTSTART:20151117T050000Z RRULE:FREQ=DAILY;INTERVAL=1;COUNT=2'})
|
|
|
|
|
|
@pytest.fixture
|
|
def smart_inventory(organization):
|
|
return organization.inventories.create(name="smart-inv", kind="smart")
|
|
|
|
|
|
@pytest.mark.django_db
|
|
class TestSmartInventory:
|
|
|
|
def test_host_filter_edit(self, smart_inventory, rando, org_admin):
|
|
assert InventoryAccess(org_admin).can_admin(smart_inventory, {'host_filter': 'search=foo'})
|
|
smart_inventory.admin_role.members.add(rando)
|
|
assert not InventoryAccess(rando).can_admin(smart_inventory, {'host_filter': 'search=foo'})
|