From ff3be050fa374651d43db87b8b6418dfdbfc134e Mon Sep 17 00:00:00 2001 From: Wayne Witzel III Date: Fri, 15 Apr 2016 11:56:08 -0400 Subject: [PATCH] test fixes and read_role --- awx/main/models/organization.py | 5 ++ awx/main/models/projects.py | 7 +++ awx/main/tests/functional/test_rbac_api.py | 30 +++++----- .../tests/functional/test_rbac_credential.py | 24 ++++---- .../functional/test_rbac_job_templates.py | 56 +++++++++---------- .../functional/test_rbac_organization.py | 8 +-- .../tests/functional/test_rbac_project.py | 32 +++++------ awx/main/tests/functional/test_rbac_team.py | 6 +- awx/main/tests/functional/test_rbac_user.py | 10 ++-- 9 files changed, 93 insertions(+), 85 deletions(-) diff --git a/awx/main/models/organization.py b/awx/main/models/organization.py index f497d2a120..7bbe1ed79f 100644 --- a/awx/main/models/organization.py +++ b/awx/main/models/organization.py @@ -67,6 +67,11 @@ class Organization(CommonModel, NotificationFieldsModel, ResourceMixin): role_description='A member of this organization', parent_role='admin_role', ) + read_role = ImplicitRoleField( + role_name='Organization Read Access', + role_description='Read an organization', + parent_role='member_role', + ) def get_absolute_url(self): diff --git a/awx/main/models/projects.py b/awx/main/models/projects.py index 0f023ab56b..097a714fdf 100644 --- a/awx/main/models/projects.py +++ b/awx/main/models/projects.py @@ -239,7 +239,14 @@ class Project(UnifiedJobTemplate, ProjectOptions, ResourceMixin): member_role = ImplicitRoleField( role_name='Project Member', role_description='Implies membership within this project', + parent_role='admin_role', ) + read_role = ImplicitRoleField( + role_name='Project Read Access', + role_description='Read access to this project', + parent_role='member_role', + ) + scm_update_role = ImplicitRoleField( role_name='Project Updater', role_description='May update this project from the source control management system', diff --git a/awx/main/tests/functional/test_rbac_api.py b/awx/main/tests/functional/test_rbac_api.py index b2dd1af74d..9a3257875c 100644 --- a/awx/main/tests/functional/test_rbac_api.py +++ b/awx/main/tests/functional/test_rbac_api.py @@ -272,13 +272,11 @@ def test_org_admin_add_user_to_job_template(post, organization, check_jobtemplat joe = user('joe') organization.admin_role.members.add(org_admin) - assert check_jobtemplate.accessible_by(org_admin, {'write': True}) is True - assert check_jobtemplate.accessible_by(joe, {'execute': True}) is False + assert org_admin in check_jobtemplate.admin_role + assert joe not in check_jobtemplate.execute_role - res =post(reverse('api:role_users_list', args=(check_jobtemplate.execute_role.id,)), {'id': joe.id}, org_admin) - - print(res.data) - assert check_jobtemplate.accessible_by(joe, {'execute': True}) is True + post(reverse('api:role_users_list', args=(check_jobtemplate.execute_role.id,)), {'id': joe.id}, org_admin) + assert joe in check_jobtemplate.execute_role @pytest.mark.django_db(transaction=True) @@ -289,12 +287,12 @@ def test_org_admin_remove_user_to_job_template(post, organization, check_jobtemp organization.admin_role.members.add(org_admin) check_jobtemplate.execute_role.members.add(joe) - assert check_jobtemplate.accessible_by(org_admin, {'write': True}) is True - assert check_jobtemplate.accessible_by(joe, {'execute': True}) is True + assert org_admin in check_jobtemplate.admin_role + assert joe in check_jobtemplate.execute_role post(reverse('api:role_users_list', args=(check_jobtemplate.execute_role.id,)), {'disassociate': True, 'id': joe.id}, org_admin) + assert joe not in check_jobtemplate.execute - assert check_jobtemplate.accessible_by(joe, {'execute': True}) is False @pytest.mark.django_db(transaction=True) def test_user_fail_to_add_user_to_job_template(post, organization, check_jobtemplate, user): @@ -302,14 +300,13 @@ def test_user_fail_to_add_user_to_job_template(post, organization, check_jobtemp rando = user('rando') joe = user('joe') - assert check_jobtemplate.accessible_by(rando, {'write': True}) is False - assert check_jobtemplate.accessible_by(joe, {'execute': True}) is False + assert rando not in check_jobtemplate.admin_role + assert joe not in check_jobtemplate.execute_role res = post(reverse('api:role_users_list', args=(check_jobtemplate.execute_role.id,)), {'id': joe.id}, rando) - print(res.data) assert res.status_code == 403 - assert check_jobtemplate.accessible_by(joe, {'execute': True}) is False + assert joe not in check_jobtemplate.execute_role @pytest.mark.django_db(transaction=True) @@ -319,14 +316,13 @@ def test_user_fail_to_remove_user_to_job_template(post, organization, check_jobt joe = user('joe') check_jobtemplate.execute_role.members.add(joe) - assert check_jobtemplate.accessible_by(rando, {'write': True}) is False - assert check_jobtemplate.accessible_by(joe, {'execute': True}) is True + assert rando not in check_jobtemplate.admin_role + assert joe not in check_jobtemplate.execute_role res = post(reverse('api:role_users_list', args=(check_jobtemplate.execute_role.id,)), {'disassociate': True, 'id': joe.id}, rando) assert res.status_code == 403 - assert check_jobtemplate.accessible_by(joe, {'execute': True}) is True - + assert joe in check_jobtemplate.execute_role # # /roles//teams/ diff --git a/awx/main/tests/functional/test_rbac_credential.py b/awx/main/tests/functional/test_rbac_credential.py index 61653a0fae..1bc584c5c9 100644 --- a/awx/main/tests/functional/test_rbac_credential.py +++ b/awx/main/tests/functional/test_rbac_credential.py @@ -16,13 +16,13 @@ def test_credential_migration_user(credential, user, permissions): rbac.migrate_credential(apps, None) - assert credential.accessible_by(u, permissions['admin']) + assert u in credential.owner_role @pytest.mark.django_db def test_credential_use_role(credential, user, permissions): u = user('user', False) credential.use_role.members.add(u) - assert credential.accessible_by(u, permissions['usage']) + assert u in credential.owner_role @pytest.mark.django_db def test_credential_migration_team_member(credential, team, user, permissions): @@ -35,12 +35,12 @@ def test_credential_migration_team_member(credential, team, user, permissions): # No permissions pre-migration (this happens automatically so we patch this) team.admin_role.children.remove(credential.owner_role) team.member_role.children.remove(credential.use_role) - assert not credential.accessible_by(u, permissions['admin']) + assert u not in credential.owner_role rbac.migrate_credential(apps, None) # Admin permissions post migration - assert credential.accessible_by(u, permissions['admin']) + assert u in credential.owner_role @pytest.mark.django_db def test_credential_migration_team_admin(credential, team, user, permissions): @@ -49,11 +49,11 @@ def test_credential_migration_team_admin(credential, team, user, permissions): credential.deprecated_team = team credential.save() - assert not credential.accessible_by(u, permissions['usage']) + assert u not in credential.use_role # Usage permissions post migration rbac.migrate_credential(apps, None) - assert credential.accessible_by(u, permissions['usage']) + assert u in credential.use_role def test_credential_access_superuser(): u = User(username='admin', is_superuser=True) @@ -166,10 +166,10 @@ def test_cred_inventory_source(user, inventory, credential): inventory=inventory, ) - assert not credential.accessible_by(u, {'use':True}) + assert u not in credential.use_role rbac.migrate_credential(apps, None) - assert credential.accessible_by(u, {'use':True}) + assert u in credential.use_role @pytest.mark.django_db def test_cred_project(user, credential, project): @@ -178,10 +178,10 @@ def test_cred_project(user, credential, project): project.credential = credential project.save() - assert not credential.accessible_by(u, {'use':True}) + assert u not in credential.use_role rbac.migrate_credential(apps, None) - assert credential.accessible_by(u, {'use':True}) + assert u in credential.use_role @pytest.mark.django_db def test_cred_no_org(user, credential): @@ -196,7 +196,7 @@ def test_cred_team(user, team, credential): credential.deprecated_team = team credential.save() - assert not credential.accessible_by(u, {'use':True}) + assert u not in credential.use_role rbac.migrate_credential(apps, None) - assert credential.accessible_by(u, {'use':True}) + assert u in credential.use_role diff --git a/awx/main/tests/functional/test_rbac_job_templates.py b/awx/main/tests/functional/test_rbac_job_templates.py index 7cf083da2e..93538f67f0 100644 --- a/awx/main/tests/functional/test_rbac_job_templates.py +++ b/awx/main/tests/functional/test_rbac_job_templates.py @@ -27,16 +27,16 @@ def test_job_template_migration_check(deploy_jobtemplate, check_jobtemplate, use rbac.migrate_projects(apps, None) rbac.migrate_inventory(apps, None) - assert check_jobtemplate.project.accessible_by(joe, {'read': True}) - assert check_jobtemplate.accessible_by(admin, {'execute': True}) is True - assert check_jobtemplate.accessible_by(joe, {'execute': True}) is False + assert joe in check_jobtemplate.project.read_role + assert admin in check_jobtemplate.execute_role + assert joe not in check_jobtemplate.execute_role rbac.migrate_job_templates(apps, None) - assert check_jobtemplate.accessible_by(admin, {'execute': True}) is True - assert check_jobtemplate.accessible_by(joe, {'execute': True}) is True - assert deploy_jobtemplate.accessible_by(admin, {'execute': True}) is True - assert deploy_jobtemplate.accessible_by(joe, {'execute': True}) is False + assert admin in check_jobtemplate.execute_role + assert joe in check_jobtemplate.execute_role + assert admin in deploy_jobtemplate.execute_role + assert joe not in deploy_jobtemplate.execute_role @pytest.mark.django_db def test_job_template_migration_deploy(deploy_jobtemplate, check_jobtemplate, user): @@ -55,16 +55,16 @@ def test_job_template_migration_deploy(deploy_jobtemplate, check_jobtemplate, us rbac.migrate_projects(apps, None) rbac.migrate_inventory(apps, None) - assert deploy_jobtemplate.project.accessible_by(joe, {'read': True}) - assert deploy_jobtemplate.accessible_by(admin, {'execute': True}) is True - assert deploy_jobtemplate.accessible_by(joe, {'execute': True}) is False + assert joe in deploy_jobtemplate.project.read_role + assert admin in deploy_jobtemplate.execute_role + assert joe not in deploy_jobtemplate.execute_role rbac.migrate_job_templates(apps, None) - assert deploy_jobtemplate.accessible_by(admin, {'execute': True}) is True - assert deploy_jobtemplate.accessible_by(joe, {'execute': True}) is True - assert check_jobtemplate.accessible_by(admin, {'execute': True}) is True - assert check_jobtemplate.accessible_by(joe, {'execute': True}) is True + assert admin in deploy_jobtemplate.execute_role + assert joe in deploy_jobtemplate.execute_role + assert admin in check_jobtemplate.execute_role + assert joe in check_jobtemplate.execute_role @pytest.mark.django_db @@ -87,17 +87,17 @@ def test_job_template_team_migration_check(deploy_jobtemplate, check_jobtemplate rbac.migrate_projects(apps, None) rbac.migrate_inventory(apps, None) - assert check_jobtemplate.project.accessible_by(joe, {'read': True}) - assert check_jobtemplate.accessible_by(admin, {'execute': True}) is True - assert check_jobtemplate.accessible_by(joe, {'execute': True}) is False + assert joe in check_jobtemplate.read_role + assert admin in check_jobtemplate.execute_role + assert joe not in check_jobtemplate.execute_role rbac.migrate_job_templates(apps, None) - assert check_jobtemplate.accessible_by(admin, {'execute': True}) is True - assert check_jobtemplate.accessible_by(joe, {'execute': True}) is True + assert admin in check_jobtemplate.execute_role + assert joe in check_jobtemplate.execute_role - assert deploy_jobtemplate.accessible_by(admin, {'execute': True}) is True - assert deploy_jobtemplate.accessible_by(joe, {'execute': True}) is False + assert admin in deploy_jobtemplate.execute_role + assert joe not in deploy_jobtemplate.execute_role @pytest.mark.django_db @@ -120,17 +120,17 @@ def test_job_template_team_deploy_migration(deploy_jobtemplate, check_jobtemplat rbac.migrate_projects(apps, None) rbac.migrate_inventory(apps, None) - assert deploy_jobtemplate.project.accessible_by(joe, {'read': True}) - assert deploy_jobtemplate.accessible_by(admin, {'execute': True}) is True - assert deploy_jobtemplate.accessible_by(joe, {'execute': True}) is False + assert joe in deploy_jobtemplate.read_role + assert admin in deploy_jobtemplate.execute_role + assert joe not in deploy_jobtemplate.execute_role rbac.migrate_job_templates(apps, None) - assert deploy_jobtemplate.accessible_by(admin, {'execute': True}) is True - assert deploy_jobtemplate.accessible_by(joe, {'execute': True}) is True + assert admin in deploy_jobtemplate.execute_role + assert joe in deploy_jobtemplate.execute_role - assert check_jobtemplate.accessible_by(admin, {'execute': True}) is True - assert check_jobtemplate.accessible_by(joe, {'execute': True}) is True + assert admin in check_jobtemplate.execute_role + assert joe in check_jobtemplate.execute_role @mock.patch.object(BaseAccess, 'check_license', return_value=None) diff --git a/awx/main/tests/functional/test_rbac_organization.py b/awx/main/tests/functional/test_rbac_organization.py index 89a0298df6..77558c0e7c 100644 --- a/awx/main/tests/functional/test_rbac_organization.py +++ b/awx/main/tests/functional/test_rbac_organization.py @@ -16,11 +16,11 @@ def test_organization_migration_admin(organization, permissions, user): # Undo some automatic work that we're supposed to be testing with our migration organization.admin_role.members.remove(u) - assert not organization.accessible_by(u, permissions['admin']) + assert u not in organization.admin_role rbac.migrate_organization(apps, None) - assert organization.accessible_by(u, permissions['admin']) + assert u in organization.admin_role @pytest.mark.django_db def test_organization_migration_user(organization, permissions, user): @@ -29,11 +29,11 @@ def test_organization_migration_user(organization, permissions, user): # Undo some automatic work that we're supposed to be testing with our migration organization.member_role.members.remove(u) - assert not organization.accessible_by(u, permissions['auditor']) + assert u not in organization.read_role rbac.migrate_organization(apps, None) - assert organization.accessible_by(u, permissions['auditor']) + assert u in organization.read_role @mock.patch.object(BaseAccess, 'check_license', return_value=None) diff --git a/awx/main/tests/functional/test_rbac_project.py b/awx/main/tests/functional/test_rbac_project.py index 6fae236667..d2e504645a 100644 --- a/awx/main/tests/functional/test_rbac_project.py +++ b/awx/main/tests/functional/test_rbac_project.py @@ -138,11 +138,11 @@ def test_project_user_project(user_project, project, user): assert old_access.check_user_access(u, user_project.__class__, 'read', user_project) assert old_access.check_user_access(u, project.__class__, 'read', project) is False - assert user_project.accessible_by(u, {'read': True}) is False - assert project.accessible_by(u, {'read': True}) is False + assert u not in user_project.read_role + assert u not in project.read_role rbac.migrate_projects(apps, None) - assert user_project.accessible_by(u, {'read': True}) is True - assert project.accessible_by(u, {'read': True}) is False + assert u in user_project.read_role + assert u not in project.read_role @pytest.mark.django_db def test_project_accessible_by_sa(user, project): @@ -150,21 +150,21 @@ def test_project_accessible_by_sa(user, project): # This gets setup by a signal, but we want to test the migration which will set this up too, so remove it Role.singleton('System Administrator').members.remove(u) - assert project.accessible_by(u, {'read': True}) is False + assert u not in project.read_role rbac.migrate_organization(apps, None) rbac.migrate_users(apps, None) rbac.migrate_projects(apps, None) print(project.admin_role.ancestors.all()) print(project.admin_role.ancestors.all()) - assert project.accessible_by(u, {'read': True, 'write': True}) is True + assert u in project.admin_role @pytest.mark.django_db def test_project_org_members(user, organization, project): admin = user('orgadmin') member = user('orgmember') - assert project.accessible_by(admin, {'read': True}) is False - assert project.accessible_by(member, {'read': True}) is False + assert admin not in project.read_role + assert member not in project.read_role organization.deprecated_admins.add(admin) organization.deprecated_users.add(member) @@ -172,8 +172,8 @@ def test_project_org_members(user, organization, project): rbac.migrate_organization(apps, None) rbac.migrate_projects(apps, None) - assert project.accessible_by(admin, {'read': True, 'write': True}) is True - assert project.accessible_by(member, {'read': True}) + assert admin in project.admin_role + assert member in project.read_role @pytest.mark.django_db def test_project_team(user, team, project): @@ -183,15 +183,15 @@ def test_project_team(user, team, project): team.deprecated_users.add(member) project.deprecated_teams.add(team) - assert project.accessible_by(nonmember, {'read': True}) is False - assert project.accessible_by(member, {'read': True}) is False + assert nonmember not in project.read_role + assert member not in project.read_role rbac.migrate_team(apps, None) rbac.migrate_organization(apps, None) rbac.migrate_projects(apps, None) - assert project.accessible_by(member, {'read': True}) is True - assert project.accessible_by(nonmember, {'read': True}) is False + assert member in project.read_role + assert nonmember not in project.read_role @pytest.mark.django_db def test_project_explicit_permission(user, team, project, organization): @@ -203,9 +203,9 @@ def test_project_explicit_permission(user, team, project, organization): p = Permission(user=u, project=project, permission_type='create', name='Perm name') p.save() - assert project.accessible_by(u, {'read': True}) is False + assert u not in project.read_role rbac.migrate_organization(apps, None) rbac.migrate_projects(apps, None) - assert project.accessible_by(u, {'read': True}) is True + assert u in project.read_role diff --git a/awx/main/tests/functional/test_rbac_team.py b/awx/main/tests/functional/test_rbac_team.py index a6ad507e22..7bd60279ca 100644 --- a/awx/main/tests/functional/test_rbac_team.py +++ b/awx/main/tests/functional/test_rbac_team.py @@ -54,11 +54,11 @@ def test_team_accessible_by(team, user, project): u = user('team_member', False) team.member_role.children.add(project.member_role) - assert project.accessible_by(team, {'read':True}) - assert not project.accessible_by(u, {'read':True}) + assert team in project.read_role + assert u not in project.read_role team.member_role.members.add(u) - assert project.accessible_by(u, {'read':True}) + assert u in project.read_role @pytest.mark.django_db def test_team_accessible_objects(team, user, project): diff --git a/awx/main/tests/functional/test_rbac_user.py b/awx/main/tests/functional/test_rbac_user.py index 346413b6f6..9bfafe43f5 100644 --- a/awx/main/tests/functional/test_rbac_user.py +++ b/awx/main/tests/functional/test_rbac_user.py @@ -55,13 +55,13 @@ def test_org_user_admin(user, organization): member = user('orgmember') organization.member_role.members.add(member) - assert not member.accessible_by(admin, {'write':True}) + assert admin not in member.admin_role organization.admin_role.members.add(admin) - assert member.accessible_by(admin, {'write':True}) + assert admin in member.admin_role organization.admin_role.members.remove(admin) - assert not member.accessible_by(admin, {'write':True}) + assert admin not in member.admin_role @pytest.mark.django_db def test_org_user_removed(user, organization): @@ -71,7 +71,7 @@ def test_org_user_removed(user, organization): organization.admin_role.members.add(admin) organization.member_role.members.add(member) - assert member.accessible_by(admin, {'write':True}) + assert admin in member.admin_role organization.member_role.members.remove(member) - assert not member.accessible_by(admin, {'write':True}) + assert admin not in member.admin_role