mirror of
https://github.com/ansible/awx.git
synced 2024-10-31 15:21:13 +03:00
commit
47a6daacc7
@ -1354,7 +1354,7 @@ class InventoryList(ListCreateAPIView):
|
||||
|
||||
def get_queryset(self):
|
||||
qs = Inventory.accessible_objects(self.request.user, {'read': True})
|
||||
qs = qs.select_related('admin_role', 'auditor_role', 'updater_role', 'executor_role')
|
||||
qs = qs.select_related('admin_role', 'auditor_role', 'update_role', 'execute_role')
|
||||
return qs
|
||||
|
||||
class InventoryDetail(RetrieveUpdateDestroyAPIView):
|
||||
|
@ -109,7 +109,7 @@ class Migration(migrations.Migration):
|
||||
),
|
||||
migrations.AddField(
|
||||
model_name='credential',
|
||||
name='usage_role',
|
||||
name='use_role',
|
||||
field=awx.main.fields.ImplicitRoleField(related_name='+', role_description=b'May use this credential, but not read sensitive portions or modify it', parent_role=None, to='main.Role', role_name=b'Credential User', null=b'True', permissions={b'use': True}),
|
||||
),
|
||||
migrations.AddField(
|
||||
@ -139,13 +139,13 @@ class Migration(migrations.Migration):
|
||||
),
|
||||
migrations.AddField(
|
||||
model_name='group',
|
||||
name='executor_role',
|
||||
field=awx.main.fields.ImplicitRoleField(related_name='+', role_description=b'', parent_role=[b'inventory.executor_role', b'parents.executor_role'], to='main.Role', role_name=b'Inventory Group Executor', null=b'True', permissions={b'read': True, b'execute': True}),
|
||||
name='execute_role',
|
||||
field=awx.main.fields.ImplicitRoleField(related_name='+', role_description=b'', parent_role=[b'inventory.execute_role', b'parents.executor_role'], to='main.Role', role_name=b'Inventory Group Executor', null=b'True', permissions={b'read': True, b'execute': True}),
|
||||
),
|
||||
migrations.AddField(
|
||||
model_name='group',
|
||||
name='updater_role',
|
||||
field=awx.main.fields.ImplicitRoleField(related_name='+', role_description=b'', parent_role=[b'inventory.updater_role', b'parents.updater_role'], to='main.Role', role_name=b'Inventory Group Updater', null=b'True', permissions={b'read': True, b'write': True, b'create': True, b'use': True}),
|
||||
name='update_role',
|
||||
field=awx.main.fields.ImplicitRoleField(related_name='+', role_description=b'', parent_role=[b'inventory.update_role', b'parents.updater_role'], to='main.Role', role_name=b'Inventory Group Updater', null=b'True', permissions={b'read': True, b'write': True, b'create': True, b'use': True}),
|
||||
),
|
||||
migrations.AddField(
|
||||
model_name='inventory',
|
||||
@ -159,17 +159,17 @@ class Migration(migrations.Migration):
|
||||
),
|
||||
migrations.AddField(
|
||||
model_name='inventory',
|
||||
name='executor_role',
|
||||
name='execute_role',
|
||||
field=awx.main.fields.ImplicitRoleField(related_name='+', role_description=b'May execute jobs against this inventory', parent_role=None, to='main.Role', role_name=b'Inventory Executor', null=b'True', permissions={b'read': True, b'execute': True}),
|
||||
),
|
||||
migrations.AddField(
|
||||
model_name='inventory',
|
||||
name='updater_role',
|
||||
name='update_role',
|
||||
field=awx.main.fields.ImplicitRoleField(related_name='+', role_description=b'May update the inventory', parent_role=None, to='main.Role', role_name=b'Inventory Updater', null=b'True', permissions={b'read': True, b'update': True}),
|
||||
),
|
||||
migrations.AddField(
|
||||
model_name='inventory',
|
||||
name='usage_role',
|
||||
name='use_role',
|
||||
field=awx.main.fields.ImplicitRoleField(related_name='+', role_description=b'May use this inventory, but not read sensitive portions or modify it', parent_role=None, to='main.Role', role_name=b'Inventory User', null=b'True', permissions={b'use': True}),
|
||||
),
|
||||
migrations.AddField(
|
||||
@ -184,7 +184,7 @@ class Migration(migrations.Migration):
|
||||
),
|
||||
migrations.AddField(
|
||||
model_name='jobtemplate',
|
||||
name='executor_role',
|
||||
name='execute_role',
|
||||
field=awx.main.fields.ImplicitRoleField(related_name='+', role_description=b'May run the job template', parent_role=None, to='main.Role', role_name=b'Job Template Runner', null=b'True', permissions={b'read': True, b'execute': True}),
|
||||
),
|
||||
migrations.AddField(
|
||||
|
@ -113,7 +113,7 @@ def attrfunc(attr_path):
|
||||
|
||||
def _update_credential_parents(org, cred):
|
||||
org.admin_role.children.add(cred.owner_role)
|
||||
org.member_role.children.add(cred.usage_role)
|
||||
org.member_role.children.add(cred.use_role)
|
||||
cred.deprecated_user, cred.deprecated_team = None, None
|
||||
cred.save()
|
||||
|
||||
@ -147,7 +147,7 @@ def _discover_credentials(instances, cred, orgfunc):
|
||||
|
||||
# Unlink the old information from the new credential
|
||||
cred.deprecated_user, cred.deprecated_team = None, None
|
||||
cred.owner_role, cred.usage_role = None, None
|
||||
cred.owner_role, cred.use_role = None, None
|
||||
cred.save()
|
||||
|
||||
for i in orgs[org]:
|
||||
@ -189,7 +189,7 @@ def migrate_credential(apps, schema_editor):
|
||||
|
||||
if cred.deprecated_team is not None:
|
||||
cred.deprecated_team.admin_role.children.add(cred.owner_role)
|
||||
cred.deprecated_team.member_role.children.add(cred.usage_role)
|
||||
cred.deprecated_team.member_role.children.add(cred.use_role)
|
||||
cred.deprecated_user, cred.deprecated_team = None, None
|
||||
cred.save()
|
||||
logger.info(smart_text(u"added Credential(name={}, kind={}, host={}) at user level".format(cred.name, cred.kind, cred.host)))
|
||||
@ -214,7 +214,7 @@ def migrate_inventory(apps, schema_editor):
|
||||
elif perm.permission_type == 'read':
|
||||
return inventory.auditor_role
|
||||
elif perm.permission_type == 'write':
|
||||
return inventory.updater_role
|
||||
return inventory.update_role
|
||||
elif perm.permission_type == 'check' or perm.permission_type == 'run':
|
||||
# These permission types are handled differntly in RBAC now, nothing to migrate.
|
||||
return False
|
||||
@ -232,7 +232,7 @@ def migrate_inventory(apps, schema_editor):
|
||||
raise Exception(smart_text(u'Unhandled permission type for inventory: {}'.format( perm.permission_type)))
|
||||
|
||||
if perm.run_ad_hoc_commands:
|
||||
execrole = inventory.executor_role
|
||||
execrole = inventory.execute_role
|
||||
|
||||
if perm.team:
|
||||
if role:
|
||||
@ -392,12 +392,12 @@ def migrate_job_templates(apps, schema_editor):
|
||||
|
||||
for team in Team.objects.iterator():
|
||||
if permission.filter(team=team).exists():
|
||||
team.member_role.children.add(jt.executor_role)
|
||||
team.member_role.children.add(jt.execute_role)
|
||||
logger.info(smart_text(u'adding Team({}) access to JobTemplate({})'.format(team.name, jt.name)))
|
||||
|
||||
for user in User.objects.iterator():
|
||||
if permission.filter(user=user).exists():
|
||||
jt.executor_role.members.add(user)
|
||||
jt.execute_role.members.add(user)
|
||||
logger.info(smart_text(u'adding User({}) access to JobTemplate({})'.format(user.username, jt.name)))
|
||||
|
||||
if jt.accessible_by(user, {'execute': True}):
|
||||
@ -407,5 +407,5 @@ def migrate_job_templates(apps, schema_editor):
|
||||
continue
|
||||
|
||||
if old_access.check_user_access(user, jt.__class__, 'start', jt, False):
|
||||
jt.executor_role.members.add(user)
|
||||
jt.execute_role.members.add(user)
|
||||
logger.info(smart_text(u'adding User({}) access to JobTemplate({})'.format(user.username, jt.name)))
|
||||
|
@ -182,7 +182,7 @@ class Credential(PasswordFieldsModel, CommonModelNameNotUnique, ResourceMixin):
|
||||
'singleton:' + ROLE_SINGLETON_SYSTEM_AUDITOR,
|
||||
],
|
||||
)
|
||||
usage_role = ImplicitRoleField(
|
||||
use_role = ImplicitRoleField(
|
||||
role_name='Credential User',
|
||||
role_description='May use this credential, but not read sensitive portions or modify it',
|
||||
)
|
||||
|
@ -106,15 +106,15 @@ class Inventory(CommonModel, ResourceMixin):
|
||||
role_description='May view but not modify this inventory',
|
||||
parent_role='organization.auditor_role',
|
||||
)
|
||||
updater_role = ImplicitRoleField(
|
||||
update_role = ImplicitRoleField(
|
||||
role_name='Inventory Updater',
|
||||
role_description='May update the inventory',
|
||||
)
|
||||
usage_role = ImplicitRoleField(
|
||||
use_role = ImplicitRoleField(
|
||||
role_name='Inventory User',
|
||||
role_description='May use this inventory, but not read sensitive portions or modify it',
|
||||
)
|
||||
executor_role = ImplicitRoleField(
|
||||
execute_role = ImplicitRoleField(
|
||||
role_name='Inventory Executor',
|
||||
role_description='May execute jobs against this inventory',
|
||||
)
|
||||
@ -525,13 +525,13 @@ class Group(CommonModelNameNotUnique, ResourceMixin):
|
||||
role_name='Inventory Group Auditor',
|
||||
parent_role=['inventory.auditor_role', 'parents.auditor_role'],
|
||||
)
|
||||
updater_role = ImplicitRoleField(
|
||||
update_role = ImplicitRoleField(
|
||||
role_name='Inventory Group Updater',
|
||||
parent_role=['inventory.updater_role', 'parents.updater_role'],
|
||||
parent_role=['inventory.update_role', 'parents.updater_role'],
|
||||
)
|
||||
executor_role = ImplicitRoleField(
|
||||
execute_role = ImplicitRoleField(
|
||||
role_name='Inventory Group Executor',
|
||||
parent_role=['inventory.executor_role', 'parents.executor_role'],
|
||||
parent_role=['inventory.execute_role', 'parents.executor_role'],
|
||||
)
|
||||
|
||||
def __unicode__(self):
|
||||
|
@ -213,7 +213,7 @@ class JobTemplate(UnifiedJobTemplate, JobOptions, ResourceMixin):
|
||||
role_description='Read-only access to all settings',
|
||||
parent_role='project.auditor_role',
|
||||
)
|
||||
executor_role = ImplicitRoleField(
|
||||
execute_role = ImplicitRoleField(
|
||||
role_name='Job Template Runner',
|
||||
role_description='May run the job template',
|
||||
)
|
||||
|
@ -176,7 +176,7 @@ def grant_host_access_to_group_roles(instance, action, model, reverse, pk_set, *
|
||||
)
|
||||
RolePermission.objects.create(
|
||||
resource=host,
|
||||
role=group.updater_role,
|
||||
role=group.update_role,
|
||||
auto_generated=True,
|
||||
read=1,
|
||||
write=1,
|
||||
@ -185,7 +185,7 @@ def grant_host_access_to_group_roles(instance, action, model, reverse, pk_set, *
|
||||
)
|
||||
RolePermission.objects.create(
|
||||
resource=host,
|
||||
role=group.executor_role,
|
||||
role=group.execute_role,
|
||||
auto_generated=True,
|
||||
read=1,
|
||||
execute=1
|
||||
@ -208,7 +208,7 @@ def grant_host_access_to_group_roles(instance, action, model, reverse, pk_set, *
|
||||
content_type = host_content_type,
|
||||
object_id = host.id,
|
||||
auto_generated = True,
|
||||
role__in = [group.admin_role, group.updater_role, group.auditor_role, group.executor_role]
|
||||
role__in = [group.admin_role, group.update_role, group.auditor_role, group.execute_role]
|
||||
).delete()
|
||||
|
||||
if reverse:
|
||||
|
@ -661,4 +661,4 @@ class Migration(SchemaMigration):
|
||||
}
|
||||
}
|
||||
|
||||
complete_apps = ['main']
|
||||
complete_apps = ['main']
|
||||
|
@ -340,4 +340,4 @@ class Migration(SchemaMigration):
|
||||
}
|
||||
}
|
||||
|
||||
complete_apps = ['main']
|
||||
complete_apps = ['main']
|
||||
|
@ -270,4 +270,4 @@ class Migration(SchemaMigration):
|
||||
}
|
||||
}
|
||||
|
||||
complete_apps = ['main']
|
||||
complete_apps = ['main']
|
||||
|
@ -255,4 +255,4 @@ class Migration(SchemaMigration):
|
||||
}
|
||||
}
|
||||
|
||||
complete_apps = ['main']
|
||||
complete_apps = ['main']
|
||||
|
@ -268,4 +268,4 @@ class Migration(SchemaMigration):
|
||||
}
|
||||
}
|
||||
|
||||
complete_apps = ['main']
|
||||
complete_apps = ['main']
|
||||
|
@ -257,4 +257,4 @@ class Migration(SchemaMigration):
|
||||
}
|
||||
}
|
||||
|
||||
complete_apps = ['main']
|
||||
complete_apps = ['main']
|
||||
|
@ -405,4 +405,4 @@ class Migration(SchemaMigration):
|
||||
}
|
||||
}
|
||||
|
||||
complete_apps = ['main']
|
||||
complete_apps = ['main']
|
||||
|
@ -518,4 +518,4 @@ class Migration(SchemaMigration):
|
||||
}
|
||||
}
|
||||
|
||||
complete_apps = ['main']
|
||||
complete_apps = ['main']
|
||||
|
@ -327,4 +327,4 @@ class Migration(SchemaMigration):
|
||||
}
|
||||
}
|
||||
|
||||
complete_apps = ['main']
|
||||
complete_apps = ['main']
|
||||
|
@ -331,4 +331,4 @@ class Migration(SchemaMigration):
|
||||
}
|
||||
}
|
||||
|
||||
complete_apps = ['main']
|
||||
complete_apps = ['main']
|
||||
|
@ -336,4 +336,4 @@ class Migration(SchemaMigration):
|
||||
}
|
||||
}
|
||||
|
||||
complete_apps = ['main']
|
||||
complete_apps = ['main']
|
||||
|
@ -335,4 +335,4 @@ class Migration(SchemaMigration):
|
||||
}
|
||||
}
|
||||
|
||||
complete_apps = ['main']
|
||||
complete_apps = ['main']
|
||||
|
@ -427,4 +427,4 @@ class Migration(SchemaMigration):
|
||||
}
|
||||
}
|
||||
|
||||
complete_apps = ['main']
|
||||
complete_apps = ['main']
|
||||
|
@ -388,4 +388,4 @@ class Migration(SchemaMigration):
|
||||
}
|
||||
}
|
||||
|
||||
complete_apps = ['main']
|
||||
complete_apps = ['main']
|
||||
|
@ -497,4 +497,4 @@ class Migration(SchemaMigration):
|
||||
}
|
||||
}
|
||||
|
||||
complete_apps = ['main']
|
||||
complete_apps = ['main']
|
||||
|
@ -451,4 +451,4 @@ class Migration(SchemaMigration):
|
||||
}
|
||||
}
|
||||
|
||||
complete_apps = ['main']
|
||||
complete_apps = ['main']
|
||||
|
@ -501,4 +501,4 @@ class Migration(SchemaMigration):
|
||||
}
|
||||
}
|
||||
|
||||
complete_apps = ['main']
|
||||
complete_apps = ['main']
|
||||
|
@ -464,4 +464,4 @@ class Migration(SchemaMigration):
|
||||
}
|
||||
}
|
||||
|
||||
complete_apps = ['main']
|
||||
complete_apps = ['main']
|
||||
|
@ -395,4 +395,4 @@ class Migration(SchemaMigration):
|
||||
}
|
||||
}
|
||||
|
||||
complete_apps = ['main']
|
||||
complete_apps = ['main']
|
||||
|
@ -417,4 +417,4 @@ class Migration(SchemaMigration):
|
||||
}
|
||||
}
|
||||
|
||||
complete_apps = ['main']
|
||||
complete_apps = ['main']
|
||||
|
@ -427,4 +427,4 @@ class Migration(SchemaMigration):
|
||||
}
|
||||
}
|
||||
|
||||
complete_apps = ['main']
|
||||
complete_apps = ['main']
|
||||
|
@ -442,4 +442,4 @@ class Migration(SchemaMigration):
|
||||
}
|
||||
}
|
||||
|
||||
complete_apps = ['main']
|
||||
complete_apps = ['main']
|
||||
|
@ -1408,4 +1408,4 @@ class Migration(SchemaMigration):
|
||||
}
|
||||
}
|
||||
|
||||
complete_apps = ['main']
|
||||
complete_apps = ['main']
|
||||
|
@ -792,4 +792,4 @@ class Migration(SchemaMigration):
|
||||
}
|
||||
}
|
||||
|
||||
complete_apps = ['main']
|
||||
complete_apps = ['main']
|
||||
|
@ -497,4 +497,4 @@ class Migration(SchemaMigration):
|
||||
}
|
||||
}
|
||||
|
||||
complete_apps = ['main']
|
||||
complete_apps = ['main']
|
||||
|
@ -449,4 +449,4 @@ class Migration(SchemaMigration):
|
||||
}
|
||||
}
|
||||
|
||||
complete_apps = ['main']
|
||||
complete_apps = ['main']
|
||||
|
@ -436,4 +436,4 @@ class Migration(SchemaMigration):
|
||||
}
|
||||
}
|
||||
|
||||
complete_apps = ['main']
|
||||
complete_apps = ['main']
|
||||
|
@ -437,4 +437,4 @@ class Migration(SchemaMigration):
|
||||
}
|
||||
}
|
||||
|
||||
complete_apps = ['main']
|
||||
complete_apps = ['main']
|
||||
|
@ -440,4 +440,4 @@ class Migration(SchemaMigration):
|
||||
}
|
||||
}
|
||||
|
||||
complete_apps = ['main']
|
||||
complete_apps = ['main']
|
||||
|
@ -450,4 +450,4 @@ class Migration(SchemaMigration):
|
||||
}
|
||||
}
|
||||
|
||||
complete_apps = ['main']
|
||||
complete_apps = ['main']
|
||||
|
@ -493,4 +493,4 @@ class Migration(SchemaMigration):
|
||||
}
|
||||
}
|
||||
|
||||
complete_apps = ['main']
|
||||
complete_apps = ['main']
|
||||
|
@ -510,4 +510,4 @@ class Migration(SchemaMigration):
|
||||
}
|
||||
}
|
||||
|
||||
complete_apps = ['main']
|
||||
complete_apps = ['main']
|
||||
|
@ -572,4 +572,4 @@ class Migration(SchemaMigration):
|
||||
}
|
||||
}
|
||||
|
||||
complete_apps = ['main']
|
||||
complete_apps = ['main']
|
||||
|
@ -519,4 +519,4 @@ class Migration(SchemaMigration):
|
||||
}
|
||||
}
|
||||
|
||||
complete_apps = ['main']
|
||||
complete_apps = ['main']
|
||||
|
@ -520,4 +520,4 @@ class Migration(SchemaMigration):
|
||||
}
|
||||
}
|
||||
|
||||
complete_apps = ['main']
|
||||
complete_apps = ['main']
|
||||
|
@ -275,7 +275,7 @@ def test_org_admin_add_user_to_job_template(post, organization, check_jobtemplat
|
||||
assert check_jobtemplate.accessible_by(org_admin, {'write': True}) is True
|
||||
assert check_jobtemplate.accessible_by(joe, {'execute': True}) is False
|
||||
|
||||
res =post(reverse('api:role_users_list', args=(check_jobtemplate.executor_role.id,)), {'id': joe.id}, org_admin)
|
||||
res =post(reverse('api:role_users_list', args=(check_jobtemplate.execute_role.id,)), {'id': joe.id}, org_admin)
|
||||
|
||||
print(res.data)
|
||||
assert check_jobtemplate.accessible_by(joe, {'execute': True}) is True
|
||||
@ -287,12 +287,12 @@ def test_org_admin_remove_user_to_job_template(post, organization, check_jobtemp
|
||||
org_admin = user('org-admin')
|
||||
joe = user('joe')
|
||||
organization.admin_role.members.add(org_admin)
|
||||
check_jobtemplate.executor_role.members.add(joe)
|
||||
check_jobtemplate.execute_role.members.add(joe)
|
||||
|
||||
assert check_jobtemplate.accessible_by(org_admin, {'write': True}) is True
|
||||
assert check_jobtemplate.accessible_by(joe, {'execute': True}) is True
|
||||
|
||||
post(reverse('api:role_users_list', args=(check_jobtemplate.executor_role.id,)), {'disassociate': True, 'id': joe.id}, org_admin)
|
||||
post(reverse('api:role_users_list', args=(check_jobtemplate.execute_role.id,)), {'disassociate': True, 'id': joe.id}, org_admin)
|
||||
|
||||
assert check_jobtemplate.accessible_by(joe, {'execute': True}) is False
|
||||
|
||||
@ -305,7 +305,7 @@ def test_user_fail_to_add_user_to_job_template(post, organization, check_jobtemp
|
||||
assert check_jobtemplate.accessible_by(rando, {'write': True}) is False
|
||||
assert check_jobtemplate.accessible_by(joe, {'execute': True}) is False
|
||||
|
||||
res = post(reverse('api:role_users_list', args=(check_jobtemplate.executor_role.id,)), {'id': joe.id}, rando)
|
||||
res = post(reverse('api:role_users_list', args=(check_jobtemplate.execute_role.id,)), {'id': joe.id}, rando)
|
||||
print(res.data)
|
||||
assert res.status_code == 403
|
||||
|
||||
@ -317,12 +317,12 @@ def test_user_fail_to_remove_user_to_job_template(post, organization, check_jobt
|
||||
'Tests that a user without permissions to assign/revoke membership to a particular role cannot do so'
|
||||
rando = user('rando')
|
||||
joe = user('joe')
|
||||
check_jobtemplate.executor_role.members.add(joe)
|
||||
check_jobtemplate.execute_role.members.add(joe)
|
||||
|
||||
assert check_jobtemplate.accessible_by(rando, {'write': True}) is False
|
||||
assert check_jobtemplate.accessible_by(joe, {'execute': True}) is True
|
||||
|
||||
res = post(reverse('api:role_users_list', args=(check_jobtemplate.executor_role.id,)), {'disassociate': True, 'id': joe.id}, rando)
|
||||
res = post(reverse('api:role_users_list', args=(check_jobtemplate.execute_role.id,)), {'disassociate': True, 'id': joe.id}, rando)
|
||||
assert res.status_code == 403
|
||||
|
||||
assert check_jobtemplate.accessible_by(joe, {'execute': True}) is True
|
||||
|
@ -19,9 +19,9 @@ def test_credential_migration_user(credential, user, permissions):
|
||||
assert credential.accessible_by(u, permissions['admin'])
|
||||
|
||||
@pytest.mark.django_db
|
||||
def test_credential_usage_role(credential, user, permissions):
|
||||
def test_credential_use_role(credential, user, permissions):
|
||||
u = user('user', False)
|
||||
credential.usage_role.members.add(u)
|
||||
credential.use_role.members.add(u)
|
||||
assert credential.accessible_by(u, permissions['usage'])
|
||||
|
||||
@pytest.mark.django_db
|
||||
@ -34,7 +34,7 @@ def test_credential_migration_team_member(credential, team, user, permissions):
|
||||
|
||||
# No permissions pre-migration (this happens automatically so we patch this)
|
||||
team.admin_role.children.remove(credential.owner_role)
|
||||
team.member_role.children.remove(credential.usage_role)
|
||||
team.member_role.children.remove(credential.use_role)
|
||||
assert not credential.accessible_by(u, permissions['admin'])
|
||||
|
||||
rbac.migrate_credential(apps, None)
|
||||
|
@ -32,8 +32,8 @@ def test_inventory_admin_user(inventory, permissions, user):
|
||||
rbac.migrate_inventory(apps, None)
|
||||
|
||||
assert inventory.accessible_by(u, permissions['admin'])
|
||||
assert inventory.executor_role.members.filter(id=u.id).exists() is False
|
||||
assert inventory.updater_role.members.filter(id=u.id).exists() is False
|
||||
assert inventory.execute_role.members.filter(id=u.id).exists() is False
|
||||
assert inventory.update_role.members.filter(id=u.id).exists() is False
|
||||
|
||||
@pytest.mark.django_db
|
||||
def test_inventory_auditor_user(inventory, permissions, user):
|
||||
@ -48,8 +48,8 @@ def test_inventory_auditor_user(inventory, permissions, user):
|
||||
|
||||
assert inventory.accessible_by(u, permissions['admin']) is False
|
||||
assert inventory.accessible_by(u, permissions['auditor']) is True
|
||||
assert inventory.executor_role.members.filter(id=u.id).exists() is False
|
||||
assert inventory.updater_role.members.filter(id=u.id).exists() is False
|
||||
assert inventory.execute_role.members.filter(id=u.id).exists() is False
|
||||
assert inventory.update_role.members.filter(id=u.id).exists() is False
|
||||
|
||||
@pytest.mark.django_db
|
||||
def test_inventory_updater_user(inventory, permissions, user):
|
||||
@ -63,8 +63,8 @@ def test_inventory_updater_user(inventory, permissions, user):
|
||||
rbac.migrate_inventory(apps, None)
|
||||
|
||||
assert inventory.accessible_by(u, permissions['admin']) is False
|
||||
assert inventory.executor_role.members.filter(id=u.id).exists() is False
|
||||
assert inventory.updater_role.members.filter(id=u.id).exists()
|
||||
assert inventory.execute_role.members.filter(id=u.id).exists() is False
|
||||
assert inventory.update_role.members.filter(id=u.id).exists()
|
||||
|
||||
@pytest.mark.django_db
|
||||
def test_inventory_executor_user(inventory, permissions, user):
|
||||
@ -79,8 +79,8 @@ def test_inventory_executor_user(inventory, permissions, user):
|
||||
|
||||
assert inventory.accessible_by(u, permissions['admin']) is False
|
||||
assert inventory.accessible_by(u, permissions['auditor']) is True
|
||||
assert inventory.executor_role.members.filter(id=u.id).exists()
|
||||
assert inventory.updater_role.members.filter(id=u.id).exists() is False
|
||||
assert inventory.execute_role.members.filter(id=u.id).exists()
|
||||
assert inventory.update_role.members.filter(id=u.id).exists() is False
|
||||
|
||||
|
||||
|
||||
@ -99,8 +99,8 @@ def test_inventory_admin_team(inventory, permissions, user, team):
|
||||
assert team.member_role.members.count() == 1
|
||||
assert inventory.admin_role.members.filter(id=u.id).exists() is False
|
||||
assert inventory.auditor_role.members.filter(id=u.id).exists() is False
|
||||
assert inventory.executor_role.members.filter(id=u.id).exists() is False
|
||||
assert inventory.updater_role.members.filter(id=u.id).exists() is False
|
||||
assert inventory.execute_role.members.filter(id=u.id).exists() is False
|
||||
assert inventory.update_role.members.filter(id=u.id).exists() is False
|
||||
assert inventory.accessible_by(u, permissions['auditor'])
|
||||
assert inventory.accessible_by(u, permissions['admin'])
|
||||
|
||||
@ -121,8 +121,8 @@ def test_inventory_auditor(inventory, permissions, user, team):
|
||||
assert team.member_role.members.count() == 1
|
||||
assert inventory.admin_role.members.filter(id=u.id).exists() is False
|
||||
assert inventory.auditor_role.members.filter(id=u.id).exists() is False
|
||||
assert inventory.executor_role.members.filter(id=u.id).exists() is False
|
||||
assert inventory.updater_role.members.filter(id=u.id).exists() is False
|
||||
assert inventory.execute_role.members.filter(id=u.id).exists() is False
|
||||
assert inventory.update_role.members.filter(id=u.id).exists() is False
|
||||
assert inventory.accessible_by(u, permissions['auditor'])
|
||||
assert inventory.accessible_by(u, permissions['admin']) is False
|
||||
|
||||
@ -142,10 +142,10 @@ def test_inventory_updater(inventory, permissions, user, team):
|
||||
assert team.member_role.members.count() == 1
|
||||
assert inventory.admin_role.members.filter(id=u.id).exists() is False
|
||||
assert inventory.auditor_role.members.filter(id=u.id).exists() is False
|
||||
assert inventory.executor_role.members.filter(id=u.id).exists() is False
|
||||
assert inventory.updater_role.members.filter(id=u.id).exists() is False
|
||||
assert team.member_role.is_ancestor_of(inventory.updater_role)
|
||||
assert team.member_role.is_ancestor_of(inventory.executor_role) is False
|
||||
assert inventory.execute_role.members.filter(id=u.id).exists() is False
|
||||
assert inventory.update_role.members.filter(id=u.id).exists() is False
|
||||
assert team.member_role.is_ancestor_of(inventory.update_role)
|
||||
assert team.member_role.is_ancestor_of(inventory.execute_role) is False
|
||||
|
||||
|
||||
@pytest.mark.django_db
|
||||
@ -164,10 +164,10 @@ def test_inventory_executor(inventory, permissions, user, team):
|
||||
assert team.member_role.members.count() == 1
|
||||
assert inventory.admin_role.members.filter(id=u.id).exists() is False
|
||||
assert inventory.auditor_role.members.filter(id=u.id).exists() is False
|
||||
assert inventory.executor_role.members.filter(id=u.id).exists() is False
|
||||
assert inventory.updater_role.members.filter(id=u.id).exists() is False
|
||||
assert team.member_role.is_ancestor_of(inventory.updater_role) is False
|
||||
assert team.member_role.is_ancestor_of(inventory.executor_role)
|
||||
assert inventory.execute_role.members.filter(id=u.id).exists() is False
|
||||
assert inventory.update_role.members.filter(id=u.id).exists() is False
|
||||
assert team.member_role.is_ancestor_of(inventory.update_role) is False
|
||||
assert team.member_role.is_ancestor_of(inventory.execute_role)
|
||||
|
||||
@pytest.mark.django_db
|
||||
def test_group_parent_admin(group, permissions, user):
|
||||
|
@ -24,7 +24,7 @@ def test_admin_executing_permissions(deploy_jobtemplate, inventory, machine_cred
|
||||
def test_job_template_start_access(deploy_jobtemplate, user):
|
||||
|
||||
common_user = user('test-user', False)
|
||||
deploy_jobtemplate.executor_role.members.add(common_user)
|
||||
deploy_jobtemplate.execute_role.members.add(common_user)
|
||||
|
||||
assert common_user.can_access(JobTemplate, 'start', deploy_jobtemplate)
|
||||
|
||||
@ -33,7 +33,7 @@ def test_job_template_start_access(deploy_jobtemplate, user):
|
||||
def test_credential_use_access(machine_credential, user):
|
||||
|
||||
common_user = user('test-user', False)
|
||||
machine_credential.usage_role.members.add(common_user)
|
||||
machine_credential.use_role.members.add(common_user)
|
||||
|
||||
assert common_user.can_access(Credential, 'use', machine_credential)
|
||||
|
||||
@ -42,6 +42,6 @@ def test_credential_use_access(machine_credential, user):
|
||||
def test_inventory_use_access(inventory, user):
|
||||
|
||||
common_user = user('test-user', False)
|
||||
inventory.usage_role.members.add(common_user)
|
||||
inventory.use_role.members.add(common_user)
|
||||
|
||||
assert common_user.can_access(Inventory, 'use', inventory)
|
||||
|
@ -295,14 +295,14 @@ class BaseJobTestMixin(BaseTestMixin):
|
||||
password='ASK',
|
||||
created_by=self.user_sue,
|
||||
)
|
||||
self.cred_bob.usage_role.members.add(self.user_bob)
|
||||
self.cred_bob.use_role.members.add(self.user_bob)
|
||||
|
||||
self.cred_chuck = Credential.objects.create(
|
||||
username='chuck',
|
||||
ssh_key_data=TEST_SSH_KEY_DATA,
|
||||
created_by=self.user_sue,
|
||||
)
|
||||
self.cred_chuck.usage_role.members.add(self.user_chuck)
|
||||
self.cred_chuck.use_role.members.add(self.user_chuck)
|
||||
|
||||
self.cred_doug = Credential.objects.create(
|
||||
username='doug',
|
||||
@ -310,7 +310,7 @@ class BaseJobTestMixin(BaseTestMixin):
|
||||
'is why we dont\'t let doug actually run jobs.',
|
||||
created_by=self.user_sue,
|
||||
)
|
||||
self.cred_doug.usage_role.members.add(self.user_doug)
|
||||
self.cred_doug.use_role.members.add(self.user_doug)
|
||||
|
||||
self.cred_eve = Credential.objects.create(
|
||||
username='eve',
|
||||
@ -320,14 +320,14 @@ class BaseJobTestMixin(BaseTestMixin):
|
||||
become_password='ASK',
|
||||
created_by=self.user_sue,
|
||||
)
|
||||
self.cred_eve.usage_role.members.add(self.user_eve)
|
||||
self.cred_eve.use_role.members.add(self.user_eve)
|
||||
|
||||
self.cred_frank = Credential.objects.create(
|
||||
username='frank',
|
||||
password='fr@nk the t@nk',
|
||||
created_by=self.user_sue,
|
||||
)
|
||||
self.cred_frank.usage_role.members.add(self.user_frank)
|
||||
self.cred_frank.use_role.members.add(self.user_frank)
|
||||
|
||||
self.cred_greg = Credential.objects.create(
|
||||
username='greg',
|
||||
@ -335,21 +335,21 @@ class BaseJobTestMixin(BaseTestMixin):
|
||||
ssh_key_unlock='ASK',
|
||||
created_by=self.user_sue,
|
||||
)
|
||||
self.cred_greg.usage_role.members.add(self.user_greg)
|
||||
self.cred_greg.use_role.members.add(self.user_greg)
|
||||
|
||||
self.cred_holly = Credential.objects.create(
|
||||
username='holly',
|
||||
password='holly rocks',
|
||||
created_by=self.user_sue,
|
||||
)
|
||||
self.cred_holly.usage_role.members.add(self.user_holly)
|
||||
self.cred_holly.use_role.members.add(self.user_holly)
|
||||
|
||||
self.cred_iris = Credential.objects.create(
|
||||
username='iris',
|
||||
password='ASK',
|
||||
created_by=self.user_sue,
|
||||
)
|
||||
self.cred_iris.usage_role.members.add(self.user_iris)
|
||||
self.cred_iris.use_role.members.add(self.user_iris)
|
||||
|
||||
# Each operations team also has shared credentials they can use.
|
||||
self.cred_ops_east = Credential.objects.create(
|
||||
@ -358,14 +358,14 @@ class BaseJobTestMixin(BaseTestMixin):
|
||||
ssh_key_unlock=TEST_SSH_KEY_DATA_UNLOCK,
|
||||
created_by = self.user_sue,
|
||||
)
|
||||
self.team_ops_east.member_role.children.add(self.cred_ops_east.usage_role)
|
||||
self.team_ops_east.member_role.children.add(self.cred_ops_east.use_role)
|
||||
|
||||
self.cred_ops_west = Credential.objects.create(
|
||||
username='west',
|
||||
password='Heading270',
|
||||
created_by = self.user_sue,
|
||||
)
|
||||
self.team_ops_west.member_role.children.add(self.cred_ops_west.usage_role)
|
||||
self.team_ops_west.member_role.children.add(self.cred_ops_west.use_role)
|
||||
|
||||
|
||||
# FIXME: This code can be removed (probably)
|
||||
@ -391,7 +391,7 @@ class BaseJobTestMixin(BaseTestMixin):
|
||||
password='HeadingNone',
|
||||
created_by = self.user_sue,
|
||||
)
|
||||
self.team_ops_testers.member_role.children.add(self.cred_ops_test.usage_role)
|
||||
self.team_ops_testers.member_role.children.add(self.cred_ops_test.use_role)
|
||||
|
||||
self.ops_east_permission = Permission.objects.create(
|
||||
inventory = self.inv_ops_east,
|
||||
|
@ -463,7 +463,7 @@ class AdHocCommandApiTest(BaseAdHocCommandTest):
|
||||
# not allowed to run ad hoc commands).
|
||||
user_roles_list_url = reverse('api:user_roles_list', args=(self.other_django_user.pk,))
|
||||
with self.current_user('admin'):
|
||||
response = self.post(user_roles_list_url, {"id": self.inventory.updater_role.id}, expect=204)
|
||||
response = self.post(user_roles_list_url, {"id": self.inventory.update_role.id}, expect=204)
|
||||
with self.current_user('other'):
|
||||
self.run_test_ad_hoc_command(expect=403)
|
||||
self.check_get_list(url, 'other', qs)
|
||||
@ -471,7 +471,7 @@ class AdHocCommandApiTest(BaseAdHocCommandTest):
|
||||
# Add executor role permissions to other. Fails
|
||||
# when other user can't read credential.
|
||||
with self.current_user('admin'):
|
||||
response = self.post(user_roles_list_url, {"id": self.inventory.executor_role.id}, expect=204)
|
||||
response = self.post(user_roles_list_url, {"id": self.inventory.execute_role.id}, expect=204)
|
||||
with self.current_user('other'):
|
||||
self.run_test_ad_hoc_command(expect=403)
|
||||
|
||||
@ -504,7 +504,7 @@ class AdHocCommandApiTest(BaseAdHocCommandTest):
|
||||
# Give the nobody user the run_ad_hoc_commands flag, and can now see
|
||||
# the one ad hoc command previously run.
|
||||
with self.current_user('admin'):
|
||||
response = self.post(nobody_roles_list_url, {"id": self.inventory.executor_role.id}, expect=204)
|
||||
response = self.post(nobody_roles_list_url, {"id": self.inventory.execute_role.id}, expect=204)
|
||||
qs = AdHocCommand.objects.filter(credential_id=nobody_cred.pk)
|
||||
self.assertEqual(qs.count(), 1)
|
||||
self.check_get_list(url, 'nobody', qs)
|
||||
@ -1006,7 +1006,7 @@ class AdHocCommandApiTest(BaseAdHocCommandTest):
|
||||
# can_run_ad_hoc_commands = True when we shouldn't.
|
||||
nobody_roles_list_url = reverse('api:user_roles_list', args=(self.nobody_django_user.pk,))
|
||||
with self.current_user('admin'):
|
||||
response = self.post(nobody_roles_list_url, {"id": self.inventory.executor_role.id}, expect=204)
|
||||
response = self.post(nobody_roles_list_url, {"id": self.inventory.execute_role.id}, expect=204)
|
||||
|
||||
# Create a credential for the other user and explicitly give other
|
||||
# user admin permission on the inventory (still not allowed to run ad
|
||||
@ -1014,7 +1014,7 @@ class AdHocCommandApiTest(BaseAdHocCommandTest):
|
||||
other_cred = self.create_test_credential(user=self.other_django_user)
|
||||
user_roles_list_url = reverse('api:user_roles_list', args=(self.other_django_user.pk,))
|
||||
with self.current_user('admin'):
|
||||
response = self.post(user_roles_list_url, {"id": self.inventory.updater_role.id}, expect=204)
|
||||
response = self.post(user_roles_list_url, {"id": self.inventory.update_role.id}, expect=204)
|
||||
with self.current_user('other'):
|
||||
response = self.get(url, expect=200)
|
||||
self.assertEqual(response['count'], 0)
|
||||
@ -1025,7 +1025,7 @@ class AdHocCommandApiTest(BaseAdHocCommandTest):
|
||||
# Update permission to allow other user to run ad hoc commands. Can
|
||||
# only see his own ad hoc commands (because of credential permission).
|
||||
with self.current_user('admin'):
|
||||
response = self.post(user_roles_list_url, {"id": self.inventory.executor_role.id}, expect=204)
|
||||
response = self.post(user_roles_list_url, {"id": self.inventory.execute_role.id}, expect=204)
|
||||
with self.current_user('other'):
|
||||
response = self.get(url, expect=200)
|
||||
self.assertEqual(response['count'], 0)
|
||||
|
Loading…
Reference in New Issue
Block a user