Merge pull request #5095 from jakemcdermott/fix-3882-cred-test-perms

Allow some non-superusers to test credential plugins Reviewed-by: https://github.com/apps/softwarefactory-project-zuul
2024-10-31 23:51:09 +03:00 · 2019-12-03 19:56:44 +00:00 · 2019-12-03 19:56:44 +00:00 · 0362c88e48
commit 0362c88e48
parent 68a6984fcd 63fd546f44
4 changed files with 37 additions and 8 deletions
--- a/awx/api/views/init.py
+++ b/awx/api/views/init.py
@ -1385,6 +1385,7 @@ class CredentialExternalTest(SubDetailAPIView):

    model = models.Credential
    serializer_class = serializers.EmptySerializer
+    obj_permission_type = 'use'

    def post(self, request, *args, **kwargs):
        obj = self.get_object()
--- a/awx/main/tests/functional/api/test_credential.py
+++ b/awx/main/tests/functional/api/test_credential.py
@ -1439,3 +1439,15 @@ def test_create_credential_with_invalid_url_xfail(post, organization, admin, url
    assert response.status_code == status
    if status != 201:
        assert response.data['inputs']['server_url'] == [msg]
+
+
+@pytest.mark.django_db
+def test_external_credential_rbac_test_endpoint(post, alice, external_credential):
+    url = reverse('api:credential_external_test', kwargs={'pk': external_credential.pk})
+    data = {'metadata': {'key': 'some_key'}}
+
+    external_credential.read_role.members.add(alice)
+    assert post(url, data, alice).status_code == 403
+
+    external_credential.use_role.members.add(alice)
+    assert post(url, data, alice).status_code == 202
--- a/awx/main/tests/functional/api/test_credential_type.py
+++ b/awx/main/tests/functional/api/test_credential_type.py
@ -481,3 +481,12 @@ def test_create_with_undefined_template_variable_xfail(post, admin):
    }, admin)
    assert response.status_code == 400
    assert "'api_tolkien' is undefined" in json.dumps(response.data)
+
+
+@pytest.mark.django_db
+def test_credential_type_rbac_external_test(post, alice, admin, credentialtype_external):
+    # only admins may use the credential type test endpoint
+    url = reverse('api:credential_type_external_test', kwargs={'pk': credentialtype_external.pk})
+    data = {'inputs': {}, 'metadata': {}}
+    assert post(url, data, admin).status_code == 202
+    assert post(url, data, alice).status_code == 403
--- a/awx/main/tests/functional/conftest.py
+++ b/awx/main/tests/functional/conftest.py
@ -280,14 +280,21 @@ def credentialtype_external():
        }],
        'required': ['url', 'token', 'key'],
    }
-    external_type = CredentialType(
-        kind='external',
-        managed_by_tower=True,
-        name='External Service',
-        inputs=external_type_inputs
-    )
-    external_type.save()
-    return external_type
+
+    class MockPlugin(object):
+        def backend(self, **kwargs):
+            return 'secret'
+
+    with mock.patch('awx.main.models.credential.CredentialType.plugin', new_callable=PropertyMock) as mock_plugin:
+        mock_plugin.return_value = MockPlugin()
+        external_type = CredentialType(
+            kind='external',
+            managed_by_tower=True,
+            name='External Service',
+            inputs=external_type_inputs
+        )
+        external_type.save()
+        yield external_type


@pytest.fixture