shaba/awx
1
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2024-11-01 16:51:11 +03:00
Code Releases Activity

Handle cascading mark inactive in better ways as per rbac spec

Browse Source 
specifically around Teams and Credentials
This commit is contained in:
Matthew Jones 2014-07-24 15:19:53 -04:00
parent 20d76bfc91
commit 695df551e7
4 changed files with 53 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
awx/main/access.py
View File

@ -258,8 +258,8 @@ class InventoryAccess(BaseAccess):
qs = qs.select_related('created_by', 'organization') qs = qs.select_related('created_by', 'organization')
if self.user.is_superuser: if self.user.is_superuser:
return qs return qs
admin_of = qs.filter(organization__admins__in=[self.user], qs = qs.filter(organization__active=True)
organization__active=True).distinct() admin_of = qs.filter(organization__admins__in=[self.user]).distinct()
has_user_perms = qs.filter( has_user_perms = qs.filter(
permissions__user__in=[self.user], permissions__user__in=[self.user],
permissions__permission_type__in=allowed, permissions__permission_type__in=allowed,

7
awx/main/models/organization.py
View File

@ -83,6 +83,13 @@ class Team(CommonModelNameNotUnique):
def get_absolute_url(self): def get_absolute_url(self):
return reverse('api:team_detail', args=(self.pk,)) return reverse('api:team_detail', args=(self.pk,))
def mark_inactive(self, save=True):
'''
When marking a team inactive we'll wipe out its credentials also
'''
for cred in self.credentials.all():
cred.mark_inactive()
super(Team, self).mark_inactive(save=save)
class Permission(CommonModelNameNotUnique): class Permission(CommonModelNameNotUnique):
''' '''

2
awx/main/tasks.py
View File

@ -46,8 +46,6 @@ HIDDEN_PASSWORD = '**********'
logger = logging.getLogger('awx.main.tasks') logger = logging.getLogger('awx.main.tasks')
# FIXME: Cleanly cancel task when celery worker is stopped.
@task() @task()
def bulk_inventory_element_delete(inventory, hosts=[], groups=[]): def bulk_inventory_element_delete(inventory, hosts=[], groups=[]):
from awx.main.signals import disable_activity_stream from awx.main.signals import disable_activity_stream

44
awx/main/tests/jobs.py
View File

@ -251,6 +251,23 @@ class BaseJobTestMixin(BaseTestMixin):
self.team_ops_west.users.add(self.user_greg) self.team_ops_west.users.add(self.user_greg)
self.team_ops_west.users.add(self.user_iris) self.team_ops_west.users.add(self.user_iris)
# The south team is no longer active having been folded into the east team
self.team_ops_south = self.org_ops.teams.create(
name='southerners',
created_by=self.user_sue,
active=False,
)
self.team_ops_south.projects.add(self.proj_prod)
self.team_ops_south.users.add(self.user_greg)
# The north team is going to be deleted
self.team_ops_north = self.org_ops.teams.create(
name='northerners',
created_by=self.user_sue,
)
self.team_ops_north.projects.add(self.proj_prod)
self.team_ops_north.users.add(self.user_greg)
# Each user has his/her own set of credentials. # Each user has his/her own set of credentials.
from awx.main.tests.tasks import (TEST_SSH_KEY_DATA, from awx.main.tests.tasks import (TEST_SSH_KEY_DATA,
TEST_SSH_KEY_DATA_LOCKED, TEST_SSH_KEY_DATA_LOCKED,
@ -312,6 +329,17 @@ class BaseJobTestMixin(BaseTestMixin):
password='Heading270', password='Heading270',
created_by = self.user_sue, created_by = self.user_sue,
) )
self.cred_ops_south = self.team_ops_south.credentials.create(
username='south',
password='Heading180',
created_by = self.user_sue,
)
self.cred_ops_north = self.team_ops_north.credentials.create(
username='north',
password='Heading0',
created_by = self.user_sue,
)
# FIXME: Define explicit permissions for tests. # FIXME: Define explicit permissions for tests.
# other django user is on the project team and can deploy # other django user is on the project team and can deploy
@ -502,6 +530,20 @@ class JobTemplateTest(BaseJobTestMixin, django.test.TestCase):
# FIXME: Check with other credentials. # FIXME: Check with other credentials.
def test_credentials_list(self):
url = reverse('api:credential_list')
# Greg can't see the 'south' credential because the 'southerns' team is inactive
with self.current_user(self.user_greg):
all_credentials = self.get(url, expect=200)
self.assertFalse('south' in [x['username'] for x in all_credentials['results']])
url2 = reverse('api:team_detail', args=(self.team_ops_north.id,))
# Sue shouldn't be able to see the north credential once deleting its team
with self.current_user(self.user_sue):
self.delete(url2, expect=204)
all_credentials = self.get(url, expect=200)
self.assertFalse('north' in [x['username'] for x in all_credentials['results']])
def test_post_job_template_list(self): def test_post_job_template_list(self):
url = reverse('api:job_template_list') url = reverse('api:job_template_list')
data = dict( data = dict(
@ -686,6 +728,8 @@ class JobTest(BaseJobTestMixin, django.test.TestCase):
with self.current_user(self.user_sue): with self.current_user(self.user_sue):
response = self.post(url, data, expect=201) response = self.post(url, data, expect=201)
# sue can't create a job when it is hidden due to inactive team
# FIXME: Check with other credentials and optional fields. # FIXME: Check with other credentials and optional fields.
def test_get_job_detail(self): def test_get_job_detail(self):