mirror of
https://github.com/ansible/awx.git
synced 2024-10-31 15:21:13 +03:00
test fixes and read_role
This commit is contained in:
parent
d508254742
commit
ff3be050fa
@ -67,6 +67,11 @@ class Organization(CommonModel, NotificationFieldsModel, ResourceMixin):
|
||||
role_description='A member of this organization',
|
||||
parent_role='admin_role',
|
||||
)
|
||||
read_role = ImplicitRoleField(
|
||||
role_name='Organization Read Access',
|
||||
role_description='Read an organization',
|
||||
parent_role='member_role',
|
||||
)
|
||||
|
||||
|
||||
def get_absolute_url(self):
|
||||
|
@ -239,7 +239,14 @@ class Project(UnifiedJobTemplate, ProjectOptions, ResourceMixin):
|
||||
member_role = ImplicitRoleField(
|
||||
role_name='Project Member',
|
||||
role_description='Implies membership within this project',
|
||||
parent_role='admin_role',
|
||||
)
|
||||
read_role = ImplicitRoleField(
|
||||
role_name='Project Read Access',
|
||||
role_description='Read access to this project',
|
||||
parent_role='member_role',
|
||||
)
|
||||
|
||||
scm_update_role = ImplicitRoleField(
|
||||
role_name='Project Updater',
|
||||
role_description='May update this project from the source control management system',
|
||||
|
@ -272,13 +272,11 @@ def test_org_admin_add_user_to_job_template(post, organization, check_jobtemplat
|
||||
joe = user('joe')
|
||||
organization.admin_role.members.add(org_admin)
|
||||
|
||||
assert check_jobtemplate.accessible_by(org_admin, {'write': True}) is True
|
||||
assert check_jobtemplate.accessible_by(joe, {'execute': True}) is False
|
||||
assert org_admin in check_jobtemplate.admin_role
|
||||
assert joe not in check_jobtemplate.execute_role
|
||||
|
||||
res =post(reverse('api:role_users_list', args=(check_jobtemplate.execute_role.id,)), {'id': joe.id}, org_admin)
|
||||
|
||||
print(res.data)
|
||||
assert check_jobtemplate.accessible_by(joe, {'execute': True}) is True
|
||||
post(reverse('api:role_users_list', args=(check_jobtemplate.execute_role.id,)), {'id': joe.id}, org_admin)
|
||||
assert joe in check_jobtemplate.execute_role
|
||||
|
||||
|
||||
@pytest.mark.django_db(transaction=True)
|
||||
@ -289,12 +287,12 @@ def test_org_admin_remove_user_to_job_template(post, organization, check_jobtemp
|
||||
organization.admin_role.members.add(org_admin)
|
||||
check_jobtemplate.execute_role.members.add(joe)
|
||||
|
||||
assert check_jobtemplate.accessible_by(org_admin, {'write': True}) is True
|
||||
assert check_jobtemplate.accessible_by(joe, {'execute': True}) is True
|
||||
assert org_admin in check_jobtemplate.admin_role
|
||||
assert joe in check_jobtemplate.execute_role
|
||||
|
||||
post(reverse('api:role_users_list', args=(check_jobtemplate.execute_role.id,)), {'disassociate': True, 'id': joe.id}, org_admin)
|
||||
assert joe not in check_jobtemplate.execute
|
||||
|
||||
assert check_jobtemplate.accessible_by(joe, {'execute': True}) is False
|
||||
|
||||
@pytest.mark.django_db(transaction=True)
|
||||
def test_user_fail_to_add_user_to_job_template(post, organization, check_jobtemplate, user):
|
||||
@ -302,14 +300,13 @@ def test_user_fail_to_add_user_to_job_template(post, organization, check_jobtemp
|
||||
rando = user('rando')
|
||||
joe = user('joe')
|
||||
|
||||
assert check_jobtemplate.accessible_by(rando, {'write': True}) is False
|
||||
assert check_jobtemplate.accessible_by(joe, {'execute': True}) is False
|
||||
assert rando not in check_jobtemplate.admin_role
|
||||
assert joe not in check_jobtemplate.execute_role
|
||||
|
||||
res = post(reverse('api:role_users_list', args=(check_jobtemplate.execute_role.id,)), {'id': joe.id}, rando)
|
||||
print(res.data)
|
||||
assert res.status_code == 403
|
||||
|
||||
assert check_jobtemplate.accessible_by(joe, {'execute': True}) is False
|
||||
assert joe not in check_jobtemplate.execute_role
|
||||
|
||||
|
||||
@pytest.mark.django_db(transaction=True)
|
||||
@ -319,14 +316,13 @@ def test_user_fail_to_remove_user_to_job_template(post, organization, check_jobt
|
||||
joe = user('joe')
|
||||
check_jobtemplate.execute_role.members.add(joe)
|
||||
|
||||
assert check_jobtemplate.accessible_by(rando, {'write': True}) is False
|
||||
assert check_jobtemplate.accessible_by(joe, {'execute': True}) is True
|
||||
assert rando not in check_jobtemplate.admin_role
|
||||
assert joe not in check_jobtemplate.execute_role
|
||||
|
||||
res = post(reverse('api:role_users_list', args=(check_jobtemplate.execute_role.id,)), {'disassociate': True, 'id': joe.id}, rando)
|
||||
assert res.status_code == 403
|
||||
|
||||
assert check_jobtemplate.accessible_by(joe, {'execute': True}) is True
|
||||
|
||||
assert joe in check_jobtemplate.execute_role
|
||||
|
||||
#
|
||||
# /roles/<id>/teams/
|
||||
|
@ -16,13 +16,13 @@ def test_credential_migration_user(credential, user, permissions):
|
||||
|
||||
rbac.migrate_credential(apps, None)
|
||||
|
||||
assert credential.accessible_by(u, permissions['admin'])
|
||||
assert u in credential.owner_role
|
||||
|
||||
@pytest.mark.django_db
|
||||
def test_credential_use_role(credential, user, permissions):
|
||||
u = user('user', False)
|
||||
credential.use_role.members.add(u)
|
||||
assert credential.accessible_by(u, permissions['usage'])
|
||||
assert u in credential.owner_role
|
||||
|
||||
@pytest.mark.django_db
|
||||
def test_credential_migration_team_member(credential, team, user, permissions):
|
||||
@ -35,12 +35,12 @@ def test_credential_migration_team_member(credential, team, user, permissions):
|
||||
# No permissions pre-migration (this happens automatically so we patch this)
|
||||
team.admin_role.children.remove(credential.owner_role)
|
||||
team.member_role.children.remove(credential.use_role)
|
||||
assert not credential.accessible_by(u, permissions['admin'])
|
||||
assert u not in credential.owner_role
|
||||
|
||||
rbac.migrate_credential(apps, None)
|
||||
|
||||
# Admin permissions post migration
|
||||
assert credential.accessible_by(u, permissions['admin'])
|
||||
assert u in credential.owner_role
|
||||
|
||||
@pytest.mark.django_db
|
||||
def test_credential_migration_team_admin(credential, team, user, permissions):
|
||||
@ -49,11 +49,11 @@ def test_credential_migration_team_admin(credential, team, user, permissions):
|
||||
credential.deprecated_team = team
|
||||
credential.save()
|
||||
|
||||
assert not credential.accessible_by(u, permissions['usage'])
|
||||
assert u not in credential.use_role
|
||||
|
||||
# Usage permissions post migration
|
||||
rbac.migrate_credential(apps, None)
|
||||
assert credential.accessible_by(u, permissions['usage'])
|
||||
assert u in credential.use_role
|
||||
|
||||
def test_credential_access_superuser():
|
||||
u = User(username='admin', is_superuser=True)
|
||||
@ -166,10 +166,10 @@ def test_cred_inventory_source(user, inventory, credential):
|
||||
inventory=inventory,
|
||||
)
|
||||
|
||||
assert not credential.accessible_by(u, {'use':True})
|
||||
assert u not in credential.use_role
|
||||
|
||||
rbac.migrate_credential(apps, None)
|
||||
assert credential.accessible_by(u, {'use':True})
|
||||
assert u in credential.use_role
|
||||
|
||||
@pytest.mark.django_db
|
||||
def test_cred_project(user, credential, project):
|
||||
@ -178,10 +178,10 @@ def test_cred_project(user, credential, project):
|
||||
project.credential = credential
|
||||
project.save()
|
||||
|
||||
assert not credential.accessible_by(u, {'use':True})
|
||||
assert u not in credential.use_role
|
||||
|
||||
rbac.migrate_credential(apps, None)
|
||||
assert credential.accessible_by(u, {'use':True})
|
||||
assert u in credential.use_role
|
||||
|
||||
@pytest.mark.django_db
|
||||
def test_cred_no_org(user, credential):
|
||||
@ -196,7 +196,7 @@ def test_cred_team(user, team, credential):
|
||||
credential.deprecated_team = team
|
||||
credential.save()
|
||||
|
||||
assert not credential.accessible_by(u, {'use':True})
|
||||
assert u not in credential.use_role
|
||||
|
||||
rbac.migrate_credential(apps, None)
|
||||
assert credential.accessible_by(u, {'use':True})
|
||||
assert u in credential.use_role
|
||||
|
@ -27,16 +27,16 @@ def test_job_template_migration_check(deploy_jobtemplate, check_jobtemplate, use
|
||||
rbac.migrate_projects(apps, None)
|
||||
rbac.migrate_inventory(apps, None)
|
||||
|
||||
assert check_jobtemplate.project.accessible_by(joe, {'read': True})
|
||||
assert check_jobtemplate.accessible_by(admin, {'execute': True}) is True
|
||||
assert check_jobtemplate.accessible_by(joe, {'execute': True}) is False
|
||||
assert joe in check_jobtemplate.project.read_role
|
||||
assert admin in check_jobtemplate.execute_role
|
||||
assert joe not in check_jobtemplate.execute_role
|
||||
|
||||
rbac.migrate_job_templates(apps, None)
|
||||
|
||||
assert check_jobtemplate.accessible_by(admin, {'execute': True}) is True
|
||||
assert check_jobtemplate.accessible_by(joe, {'execute': True}) is True
|
||||
assert deploy_jobtemplate.accessible_by(admin, {'execute': True}) is True
|
||||
assert deploy_jobtemplate.accessible_by(joe, {'execute': True}) is False
|
||||
assert admin in check_jobtemplate.execute_role
|
||||
assert joe in check_jobtemplate.execute_role
|
||||
assert admin in deploy_jobtemplate.execute_role
|
||||
assert joe not in deploy_jobtemplate.execute_role
|
||||
|
||||
@pytest.mark.django_db
|
||||
def test_job_template_migration_deploy(deploy_jobtemplate, check_jobtemplate, user):
|
||||
@ -55,16 +55,16 @@ def test_job_template_migration_deploy(deploy_jobtemplate, check_jobtemplate, us
|
||||
rbac.migrate_projects(apps, None)
|
||||
rbac.migrate_inventory(apps, None)
|
||||
|
||||
assert deploy_jobtemplate.project.accessible_by(joe, {'read': True})
|
||||
assert deploy_jobtemplate.accessible_by(admin, {'execute': True}) is True
|
||||
assert deploy_jobtemplate.accessible_by(joe, {'execute': True}) is False
|
||||
assert joe in deploy_jobtemplate.project.read_role
|
||||
assert admin in deploy_jobtemplate.execute_role
|
||||
assert joe not in deploy_jobtemplate.execute_role
|
||||
|
||||
rbac.migrate_job_templates(apps, None)
|
||||
|
||||
assert deploy_jobtemplate.accessible_by(admin, {'execute': True}) is True
|
||||
assert deploy_jobtemplate.accessible_by(joe, {'execute': True}) is True
|
||||
assert check_jobtemplate.accessible_by(admin, {'execute': True}) is True
|
||||
assert check_jobtemplate.accessible_by(joe, {'execute': True}) is True
|
||||
assert admin in deploy_jobtemplate.execute_role
|
||||
assert joe in deploy_jobtemplate.execute_role
|
||||
assert admin in check_jobtemplate.execute_role
|
||||
assert joe in check_jobtemplate.execute_role
|
||||
|
||||
|
||||
@pytest.mark.django_db
|
||||
@ -87,17 +87,17 @@ def test_job_template_team_migration_check(deploy_jobtemplate, check_jobtemplate
|
||||
rbac.migrate_projects(apps, None)
|
||||
rbac.migrate_inventory(apps, None)
|
||||
|
||||
assert check_jobtemplate.project.accessible_by(joe, {'read': True})
|
||||
assert check_jobtemplate.accessible_by(admin, {'execute': True}) is True
|
||||
assert check_jobtemplate.accessible_by(joe, {'execute': True}) is False
|
||||
assert joe in check_jobtemplate.read_role
|
||||
assert admin in check_jobtemplate.execute_role
|
||||
assert joe not in check_jobtemplate.execute_role
|
||||
|
||||
rbac.migrate_job_templates(apps, None)
|
||||
|
||||
assert check_jobtemplate.accessible_by(admin, {'execute': True}) is True
|
||||
assert check_jobtemplate.accessible_by(joe, {'execute': True}) is True
|
||||
assert admin in check_jobtemplate.execute_role
|
||||
assert joe in check_jobtemplate.execute_role
|
||||
|
||||
assert deploy_jobtemplate.accessible_by(admin, {'execute': True}) is True
|
||||
assert deploy_jobtemplate.accessible_by(joe, {'execute': True}) is False
|
||||
assert admin in deploy_jobtemplate.execute_role
|
||||
assert joe not in deploy_jobtemplate.execute_role
|
||||
|
||||
|
||||
@pytest.mark.django_db
|
||||
@ -120,17 +120,17 @@ def test_job_template_team_deploy_migration(deploy_jobtemplate, check_jobtemplat
|
||||
rbac.migrate_projects(apps, None)
|
||||
rbac.migrate_inventory(apps, None)
|
||||
|
||||
assert deploy_jobtemplate.project.accessible_by(joe, {'read': True})
|
||||
assert deploy_jobtemplate.accessible_by(admin, {'execute': True}) is True
|
||||
assert deploy_jobtemplate.accessible_by(joe, {'execute': True}) is False
|
||||
assert joe in deploy_jobtemplate.read_role
|
||||
assert admin in deploy_jobtemplate.execute_role
|
||||
assert joe not in deploy_jobtemplate.execute_role
|
||||
|
||||
rbac.migrate_job_templates(apps, None)
|
||||
|
||||
assert deploy_jobtemplate.accessible_by(admin, {'execute': True}) is True
|
||||
assert deploy_jobtemplate.accessible_by(joe, {'execute': True}) is True
|
||||
assert admin in deploy_jobtemplate.execute_role
|
||||
assert joe in deploy_jobtemplate.execute_role
|
||||
|
||||
assert check_jobtemplate.accessible_by(admin, {'execute': True}) is True
|
||||
assert check_jobtemplate.accessible_by(joe, {'execute': True}) is True
|
||||
assert admin in check_jobtemplate.execute_role
|
||||
assert joe in check_jobtemplate.execute_role
|
||||
|
||||
|
||||
@mock.patch.object(BaseAccess, 'check_license', return_value=None)
|
||||
|
@ -16,11 +16,11 @@ def test_organization_migration_admin(organization, permissions, user):
|
||||
|
||||
# Undo some automatic work that we're supposed to be testing with our migration
|
||||
organization.admin_role.members.remove(u)
|
||||
assert not organization.accessible_by(u, permissions['admin'])
|
||||
assert u not in organization.admin_role
|
||||
|
||||
rbac.migrate_organization(apps, None)
|
||||
|
||||
assert organization.accessible_by(u, permissions['admin'])
|
||||
assert u in organization.admin_role
|
||||
|
||||
@pytest.mark.django_db
|
||||
def test_organization_migration_user(organization, permissions, user):
|
||||
@ -29,11 +29,11 @@ def test_organization_migration_user(organization, permissions, user):
|
||||
|
||||
# Undo some automatic work that we're supposed to be testing with our migration
|
||||
organization.member_role.members.remove(u)
|
||||
assert not organization.accessible_by(u, permissions['auditor'])
|
||||
assert u not in organization.read_role
|
||||
|
||||
rbac.migrate_organization(apps, None)
|
||||
|
||||
assert organization.accessible_by(u, permissions['auditor'])
|
||||
assert u in organization.read_role
|
||||
|
||||
|
||||
@mock.patch.object(BaseAccess, 'check_license', return_value=None)
|
||||
|
@ -138,11 +138,11 @@ def test_project_user_project(user_project, project, user):
|
||||
assert old_access.check_user_access(u, user_project.__class__, 'read', user_project)
|
||||
assert old_access.check_user_access(u, project.__class__, 'read', project) is False
|
||||
|
||||
assert user_project.accessible_by(u, {'read': True}) is False
|
||||
assert project.accessible_by(u, {'read': True}) is False
|
||||
assert u not in user_project.read_role
|
||||
assert u not in project.read_role
|
||||
rbac.migrate_projects(apps, None)
|
||||
assert user_project.accessible_by(u, {'read': True}) is True
|
||||
assert project.accessible_by(u, {'read': True}) is False
|
||||
assert u in user_project.read_role
|
||||
assert u not in project.read_role
|
||||
|
||||
@pytest.mark.django_db
|
||||
def test_project_accessible_by_sa(user, project):
|
||||
@ -150,21 +150,21 @@ def test_project_accessible_by_sa(user, project):
|
||||
# This gets setup by a signal, but we want to test the migration which will set this up too, so remove it
|
||||
Role.singleton('System Administrator').members.remove(u)
|
||||
|
||||
assert project.accessible_by(u, {'read': True}) is False
|
||||
assert u not in project.read_role
|
||||
rbac.migrate_organization(apps, None)
|
||||
rbac.migrate_users(apps, None)
|
||||
rbac.migrate_projects(apps, None)
|
||||
print(project.admin_role.ancestors.all())
|
||||
print(project.admin_role.ancestors.all())
|
||||
assert project.accessible_by(u, {'read': True, 'write': True}) is True
|
||||
assert u in project.admin_role
|
||||
|
||||
@pytest.mark.django_db
|
||||
def test_project_org_members(user, organization, project):
|
||||
admin = user('orgadmin')
|
||||
member = user('orgmember')
|
||||
|
||||
assert project.accessible_by(admin, {'read': True}) is False
|
||||
assert project.accessible_by(member, {'read': True}) is False
|
||||
assert admin not in project.read_role
|
||||
assert member not in project.read_role
|
||||
|
||||
organization.deprecated_admins.add(admin)
|
||||
organization.deprecated_users.add(member)
|
||||
@ -172,8 +172,8 @@ def test_project_org_members(user, organization, project):
|
||||
rbac.migrate_organization(apps, None)
|
||||
rbac.migrate_projects(apps, None)
|
||||
|
||||
assert project.accessible_by(admin, {'read': True, 'write': True}) is True
|
||||
assert project.accessible_by(member, {'read': True})
|
||||
assert admin in project.admin_role
|
||||
assert member in project.read_role
|
||||
|
||||
@pytest.mark.django_db
|
||||
def test_project_team(user, team, project):
|
||||
@ -183,15 +183,15 @@ def test_project_team(user, team, project):
|
||||
team.deprecated_users.add(member)
|
||||
project.deprecated_teams.add(team)
|
||||
|
||||
assert project.accessible_by(nonmember, {'read': True}) is False
|
||||
assert project.accessible_by(member, {'read': True}) is False
|
||||
assert nonmember not in project.read_role
|
||||
assert member not in project.read_role
|
||||
|
||||
rbac.migrate_team(apps, None)
|
||||
rbac.migrate_organization(apps, None)
|
||||
rbac.migrate_projects(apps, None)
|
||||
|
||||
assert project.accessible_by(member, {'read': True}) is True
|
||||
assert project.accessible_by(nonmember, {'read': True}) is False
|
||||
assert member in project.read_role
|
||||
assert nonmember not in project.read_role
|
||||
|
||||
@pytest.mark.django_db
|
||||
def test_project_explicit_permission(user, team, project, organization):
|
||||
@ -203,9 +203,9 @@ def test_project_explicit_permission(user, team, project, organization):
|
||||
p = Permission(user=u, project=project, permission_type='create', name='Perm name')
|
||||
p.save()
|
||||
|
||||
assert project.accessible_by(u, {'read': True}) is False
|
||||
assert u not in project.read_role
|
||||
|
||||
rbac.migrate_organization(apps, None)
|
||||
rbac.migrate_projects(apps, None)
|
||||
|
||||
assert project.accessible_by(u, {'read': True}) is True
|
||||
assert u in project.read_role
|
||||
|
@ -54,11 +54,11 @@ def test_team_accessible_by(team, user, project):
|
||||
u = user('team_member', False)
|
||||
|
||||
team.member_role.children.add(project.member_role)
|
||||
assert project.accessible_by(team, {'read':True})
|
||||
assert not project.accessible_by(u, {'read':True})
|
||||
assert team in project.read_role
|
||||
assert u not in project.read_role
|
||||
|
||||
team.member_role.members.add(u)
|
||||
assert project.accessible_by(u, {'read':True})
|
||||
assert u in project.read_role
|
||||
|
||||
@pytest.mark.django_db
|
||||
def test_team_accessible_objects(team, user, project):
|
||||
|
@ -55,13 +55,13 @@ def test_org_user_admin(user, organization):
|
||||
member = user('orgmember')
|
||||
|
||||
organization.member_role.members.add(member)
|
||||
assert not member.accessible_by(admin, {'write':True})
|
||||
assert admin not in member.admin_role
|
||||
|
||||
organization.admin_role.members.add(admin)
|
||||
assert member.accessible_by(admin, {'write':True})
|
||||
assert admin in member.admin_role
|
||||
|
||||
organization.admin_role.members.remove(admin)
|
||||
assert not member.accessible_by(admin, {'write':True})
|
||||
assert admin not in member.admin_role
|
||||
|
||||
@pytest.mark.django_db
|
||||
def test_org_user_removed(user, organization):
|
||||
@ -71,7 +71,7 @@ def test_org_user_removed(user, organization):
|
||||
organization.admin_role.members.add(admin)
|
||||
organization.member_role.members.add(member)
|
||||
|
||||
assert member.accessible_by(admin, {'write':True})
|
||||
assert admin in member.admin_role
|
||||
|
||||
organization.member_role.members.remove(member)
|
||||
assert not member.accessible_by(admin, {'write':True})
|
||||
assert admin not in member.admin_role
|
||||
|
Loading…
Reference in New Issue
Block a user