mirror of
https://github.com/ansible/awx.git
synced 2024-10-31 15:21:13 +03:00
Tests for permission checking on who can start jobs of certain types, etc.
This commit is contained in:
parent
28332cc5a5
commit
2f5745272f
@ -780,6 +780,7 @@ class JobTemplate(CommonModel):
|
|||||||
if user.is_superuser:
|
if user.is_superuser:
|
||||||
return True
|
return True
|
||||||
project = Project.objects.get(pk=data['project'])
|
project = Project.objects.get(pk=data['project'])
|
||||||
|
inventory = Inventory.objects.get(pk=data['inventory'])
|
||||||
|
|
||||||
admin_of_orgs = project.organizations.filter(admins__in = [ user ])
|
admin_of_orgs = project.organizations.filter(admins__in = [ user ])
|
||||||
if admin_of_orgs.count() > 0:
|
if admin_of_orgs.count() > 0:
|
||||||
@ -792,7 +793,7 @@ class JobTemplate(CommonModel):
|
|||||||
if job_type == PERM_INVENTORY_CHECK:
|
if job_type == PERM_INVENTORY_CHECK:
|
||||||
# if you have run permissions, you can also create check jobs
|
# if you have run permissions, you can also create check jobs
|
||||||
has_project_permission = True
|
has_project_permission = True
|
||||||
elif job_type == PERM_INVENTORY_DEPLOY and perm.job_type == PERM_INVENTORY_DEPLOY:
|
elif job_type == PERM_INVENTORY_DEPLOY and perm.permission_type == PERM_INVENTORY_DEPLOY:
|
||||||
# you need explicit run permissions to make run jobs
|
# you need explicit run permissions to make run jobs
|
||||||
has_project_permission = True
|
has_project_permission = True
|
||||||
team_permissions = Permission.objects.filter(inventory=inventory, project=project, team__users__in = [user])
|
team_permissions = Permission.objects.filter(inventory=inventory, project=project, team__users__in = [user])
|
||||||
@ -800,7 +801,7 @@ class JobTemplate(CommonModel):
|
|||||||
if job_type == PERM_INVENTORY_CHECK:
|
if job_type == PERM_INVENTORY_CHECK:
|
||||||
# if you have run permissions, you can also create check jobs
|
# if you have run permissions, you can also create check jobs
|
||||||
has_project_permission = True
|
has_project_permission = True
|
||||||
elif job_type == PERM_INVENTORY_DEPLOY and perm.job_type == PERM_INVENTORY_DEPLOY:
|
elif job_type == PERM_INVENTORY_DEPLOY and perm.permission_type == PERM_INVENTORY_DEPLOY:
|
||||||
# you need explicit run permissions to make run jobs
|
# you need explicit run permissions to make run jobs
|
||||||
has_project_permission = True
|
has_project_permission = True
|
||||||
|
|
||||||
|
@ -29,10 +29,23 @@ class JobsTest(BaseTest):
|
|||||||
# not really used
|
# not really used
|
||||||
return '/api/v1/job_templates/'
|
return '/api/v1/job_templates/'
|
||||||
|
|
||||||
|
def get_other2_credentials(self):
|
||||||
|
return ('other2', 'other2')
|
||||||
|
|
||||||
|
def get_nobody_credentials(self):
|
||||||
|
return ('nobody', 'nobody')
|
||||||
|
|
||||||
def setUp(self):
|
def setUp(self):
|
||||||
super(JobsTest, self).setUp()
|
super(JobsTest, self).setUp()
|
||||||
self.setup_users()
|
self.setup_users()
|
||||||
|
|
||||||
|
self.other2_django_user = User.objects.create(username='other2')
|
||||||
|
self.other2_django_user.set_password('other2')
|
||||||
|
self.other2_django_user.save()
|
||||||
|
self.nobody_django_user = User.objects.create(username='nobody')
|
||||||
|
self.nobody_django_user.set_password('nobody')
|
||||||
|
self.nobody_django_user.save()
|
||||||
|
|
||||||
self.organization = Organization.objects.create(
|
self.organization = Organization.objects.create(
|
||||||
name = 'engineering',
|
name = 'engineering',
|
||||||
created_by = self.normal_django_user
|
created_by = self.normal_django_user
|
||||||
@ -50,6 +63,39 @@ class JobsTest(BaseTest):
|
|||||||
created_by = self.normal_django_user
|
created_by = self.normal_django_user
|
||||||
)
|
)
|
||||||
|
|
||||||
|
self.team = Team.objects.create(
|
||||||
|
name = 'Tigger',
|
||||||
|
created_by = self.normal_django_user
|
||||||
|
)
|
||||||
|
|
||||||
|
self.team.users.add(self.other_django_user)
|
||||||
|
|
||||||
|
self.project = Project.objects.create(
|
||||||
|
name = 'testProject',
|
||||||
|
created_by = self.normal_django_user,
|
||||||
|
local_repository = '/tmp/',
|
||||||
|
scm_type = 'git',
|
||||||
|
default_playbook = 'site.yml',
|
||||||
|
)
|
||||||
|
|
||||||
|
# other django user is on the project team and can deploy
|
||||||
|
self.permission1 = Permission.objects.create(
|
||||||
|
inventory = self.inventory,
|
||||||
|
project = self.project,
|
||||||
|
team = self.team,
|
||||||
|
permission_type = PERM_INVENTORY_DEPLOY,
|
||||||
|
created_by = self.normal_django_user
|
||||||
|
)
|
||||||
|
|
||||||
|
# individual permission granted to other2 user, can run check mode
|
||||||
|
self.permission2 = Permission.objects.create(
|
||||||
|
inventory = self.inventory,
|
||||||
|
project = self.project,
|
||||||
|
user = self.other2_django_user,
|
||||||
|
permission_type = PERM_INVENTORY_CHECK,
|
||||||
|
created_by = self.normal_django_user
|
||||||
|
)
|
||||||
|
|
||||||
self.host_a = Host.objects.create(
|
self.host_a = Host.objects.create(
|
||||||
name = '127.0.0.1',
|
name = '127.0.0.1',
|
||||||
inventory = self.inventory,
|
inventory = self.inventory,
|
||||||
@ -66,13 +112,6 @@ class JobsTest(BaseTest):
|
|||||||
self.group_a.hosts.add(self.host_b)
|
self.group_a.hosts.add(self.host_b)
|
||||||
self.group_a.save()
|
self.group_a.save()
|
||||||
|
|
||||||
self.project = Project.objects.create(
|
|
||||||
name = 'testProject',
|
|
||||||
created_by = self.normal_django_user,
|
|
||||||
local_repository = '/tmp/',
|
|
||||||
scm_type = 'git',
|
|
||||||
default_playbook = 'site.yml',
|
|
||||||
)
|
|
||||||
|
|
||||||
self.credential = Credential.objects.create(
|
self.credential = Credential.objects.create(
|
||||||
ssh_key_data = 'xxx',
|
ssh_key_data = 'xxx',
|
||||||
@ -114,9 +153,31 @@ class JobsTest(BaseTest):
|
|||||||
project = self.project.pk,
|
project = self.project.pk,
|
||||||
job_type = PERM_INVENTORY_DEPLOY
|
job_type = PERM_INVENTORY_DEPLOY
|
||||||
)
|
)
|
||||||
|
|
||||||
|
# org admin can add job type
|
||||||
posted = self.post('/api/v1/job_templates/', rec, expect=201, auth=self.get_normal_credentials())
|
posted = self.post('/api/v1/job_templates/', rec, expect=201, auth=self.get_normal_credentials())
|
||||||
self.assertEquals(posted['url'], '/api/v1/job_templates/3/')
|
self.assertEquals(posted['url'], '/api/v1/job_templates/3/')
|
||||||
|
|
||||||
|
# other_django_user is on a team that can deploy, so can create both deploy and check type jobs
|
||||||
|
rec['name'] = 'job-foo2'
|
||||||
|
posted = self.post('/api/v1/job_templates/', rec, expect=201, auth=self.get_other_credentials())
|
||||||
|
rec['name'] = 'job-foo3'
|
||||||
|
rec['job_type'] = PERM_INVENTORY_CHECK
|
||||||
|
posted = self.post('/api/v1/job_templates/', rec, expect=201, auth=self.get_other_credentials())
|
||||||
|
|
||||||
|
# other2_django_user has individual permissions to run check mode, but not deploy
|
||||||
|
# nobody user can't even run check mode
|
||||||
|
rec['name'] = 'job-foo4'
|
||||||
|
posted = self.post('/api/v1/job_templates/', rec, expect=403, auth=self.get_nobody_credentials())
|
||||||
|
posted = self.post('/api/v1/job_templates/', rec, expect=201, auth=self.get_other2_credentials())
|
||||||
|
rec['name'] = 'job-foo5'
|
||||||
|
rec['job_type'] = PERM_INVENTORY_DEPLOY
|
||||||
|
posted = self.post('/api/v1/job_templates/', rec, expect=403, auth=self.get_nobody_credentials())
|
||||||
|
posted = self.post('/api/v1/job_templates/', rec, expect=403, auth=self.get_other2_credentials())
|
||||||
|
|
||||||
|
# TODO: add more tests that show
|
||||||
|
# the method used to START a JobTemplate follow the exact same permissions as those to create it ...
|
||||||
|
# and that jobs come back nicely serialized with related resources and so on ...
|
||||||
|
# that we can drill all the way down and can get at host failure lists, etc ...
|
||||||
|
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user