Handle cascading mark inactive in better ways as per rbac spec

specifically around Teams and Credentials
2024-11-01 08:21:15 +03:00 · 2014-07-24 15:19:53 -04:00 · 2014-07-24 15:19:53 -04:00 · 695df551e7
commit 695df551e7
parent 20d76bfc91
4 changed files with 53 additions and 4 deletions
--- a/awx/main/access.py
+++ b/awx/main/access.py
@ -258,8 +258,8 @@ class InventoryAccess(BaseAccess):
        qs = qs.select_related('created_by', 'organization')
        if self.user.is_superuser:
            return qs
-        admin_of = qs.filter(organization__admins__in=[self.user],
-                             organization__active=True).distinct()
+        qs = qs.filter(organization__active=True)
+        admin_of = qs.filter(organization__admins__in=[self.user]).distinct()
        has_user_perms = qs.filter(
            permissions__user__in=[self.user],
            permissions__permission_type__in=allowed,
--- a/awx/main/models/organization.py
+++ b/awx/main/models/organization.py
@ -83,6 +83,13 @@ class Team(CommonModelNameNotUnique):
    def get_absolute_url(self):
        return reverse('api:team_detail', args=(self.pk,))

+    def mark_inactive(self, save=True):
+        '''
+        When marking a team inactive we'll wipe out its credentials also
+        '''
+        for cred in self.credentials.all():
+            cred.mark_inactive()
+        super(Team, self).mark_inactive(save=save)

 class Permission(CommonModelNameNotUnique):
    '''
--- a/awx/main/tasks.py
+++ b/awx/main/tasks.py
@ -46,8 +46,6 @@ HIDDEN_PASSWORD = '**********'

 logger = logging.getLogger('awx.main.tasks')

-# FIXME: Cleanly cancel task when celery worker is stopped.
-
@task()
 def bulk_inventory_element_delete(inventory, hosts=[], groups=[]):
    from awx.main.signals import disable_activity_stream
--- a/awx/main/tests/jobs.py
+++ b/awx/main/tests/jobs.py
@ -251,6 +251,23 @@ class BaseJobTestMixin(BaseTestMixin):
        self.team_ops_west.users.add(self.user_greg)
        self.team_ops_west.users.add(self.user_iris)

+        # The south team is no longer active having been folded into the east team
+        self.team_ops_south = self.org_ops.teams.create(
+            name='southerners',
+            created_by=self.user_sue,
+            active=False,
+        )
+        self.team_ops_south.projects.add(self.proj_prod)
+        self.team_ops_south.users.add(self.user_greg)
+
+        # The north team is going to be deleted
+        self.team_ops_north = self.org_ops.teams.create(
+            name='northerners',
+            created_by=self.user_sue,
+        )
+        self.team_ops_north.projects.add(self.proj_prod)
+        self.team_ops_north.users.add(self.user_greg)
+
        # Each user has his/her own set of credentials.
        from awx.main.tests.tasks import (TEST_SSH_KEY_DATA,
                                          TEST_SSH_KEY_DATA_LOCKED,
@ -312,6 +329,17 @@ class BaseJobTestMixin(BaseTestMixin):
            password='Heading270',
            created_by = self.user_sue,
        )
+        self.cred_ops_south = self.team_ops_south.credentials.create(
+            username='south',
+            password='Heading180',
+            created_by = self.user_sue,
+        )
+
+        self.cred_ops_north = self.team_ops_north.credentials.create(
+            username='north',
+            password='Heading0',
+            created_by = self.user_sue,
+        )

        # FIXME: Define explicit permissions for tests.
        # other django user is on the project team and can deploy
@ -502,6 +530,20 @@ class JobTemplateTest(BaseJobTestMixin, django.test.TestCase):

        # FIXME: Check with other credentials.

+    def test_credentials_list(self):
+        url = reverse('api:credential_list')
+        # Greg can't see the 'south' credential because the 'southerns' team is inactive
+        with self.current_user(self.user_greg):
+            all_credentials = self.get(url, expect=200)
+            self.assertFalse('south' in [x['username'] for x in all_credentials['results']])
+
+        url2 = reverse('api:team_detail', args=(self.team_ops_north.id,))
+        # Sue shouldn't be able to see the north credential once deleting its team
+        with self.current_user(self.user_sue):
+            self.delete(url2, expect=204)
+            all_credentials = self.get(url, expect=200)
+            self.assertFalse('north' in [x['username'] for x in all_credentials['results']])
+
    def test_post_job_template_list(self):
        url = reverse('api:job_template_list')
        data = dict(
@ -686,6 +728,8 @@ class JobTest(BaseJobTestMixin, django.test.TestCase):
        with self.current_user(self.user_sue):
            response = self.post(url, data, expect=201)

+        # sue can't create a job when it is hidden due to inactive team
+
        # FIXME: Check with other credentials and optional fields.

    def test_get_job_detail(self):