def test_job_template_access_admin(role_names, jt_linked, rando): ssh_cred = jt_linked.machine_credential access = JobTemplateAccess(rando) # Appoint this user as admin of the organization #jt_linked.inventory.organization.admin_role.members.add(rando) assert not access.can_read(jt_linked) assert not access.can_delete(jt_linked) for role_name in role_names: role = getattr(jt_linked.inventory.organization, role_name) role.members.add(rando) # Assign organization permission in the same way the create view does organization = jt_linked.inventory.organization ssh_cred.admin_role.parents.add(organization.admin_role) proj_pk = jt_linked.project.pk assert access.can_add( dict(inventory=jt_linked.inventory.pk, project=proj_pk)) assert access.can_add(dict(credential=ssh_cred.pk, project=proj_pk)) for cred in jt_linked.credentials.all(): assert access.can_unattach(jt_linked, cred, 'credentials', {}) assert access.can_read(jt_linked) assert access.can_delete(jt_linked)
def test_job_template_access_use_level(jt_linked, rando): access = JobTemplateAccess(rando) jt_linked.project.use_role.members.add(rando) jt_linked.inventory.use_role.members.add(rando) jt_linked.organization.job_template_admin_role.members.add(rando) proj_pk = jt_linked.project.pk org_pk = jt_linked.organization_id assert access.can_change(jt_linked, { 'job_type': 'check', 'project': proj_pk }) assert access.can_change(jt_linked, { 'job_type': 'check', 'inventory': None }) for cred in jt_linked.credentials.all(): assert access.can_unattach(jt_linked, cred, 'credentials', {}) assert access.can_add( dict(inventory=jt_linked.inventory.pk, project=proj_pk, organization=org_pk)) assert access.can_add(dict(project=proj_pk, organization=org_pk))
def test_job_template_access_read_level(jt_linked, rando): access = JobTemplateAccess(rando) jt_linked.project.read_role.members.add(rando) jt_linked.inventory.read_role.members.add(rando) jt_linked.get_deprecated_credential('ssh').read_role.members.add(rando) proj_pk = jt_linked.project.pk assert not access.can_add(dict(inventory=jt_linked.inventory.pk, project=proj_pk)) assert not access.can_add(dict(credential=jt_linked.credential, project=proj_pk)) assert not access.can_add(dict(vault_credential=jt_linked.vault_credential, project=proj_pk)) for cred in jt_linked.credentials.all(): assert not access.can_unattach(jt_linked, cred, 'credentials', {})
def test_jt_add_scan_job_check(job_template_with_ids, user_unit): "Assure that permissions to add scan jobs work correctly" access = JobTemplateAccess(user_unit) project = job_template_with_ids.project inventory = job_template_with_ids.inventory project.use_role = Role() inventory.use_role = Role() organization = Organization(name='test-org') inventory.organization = organization organization.admin_role = Role() def mock_get_object(Class, **kwargs): if Class == Project: return project elif Class == Inventory: return inventory else: raise Exception('Item requested has not been mocked') with mock.patch.object(JobTemplateAccess, 'check_license', return_value=None): with mock.patch('awx.main.models.rbac.Role.__contains__', return_value=True): with mock.patch('awx.main.access.get_object_or_400', mock_get_object): assert access.can_add({ 'project': project.pk, 'inventory': inventory.pk, 'job_type': 'scan' })
def test_job_template_access_read_level(jt_linked, rando): ssh_cred = jt_linked.machine_credential vault_cred = jt_linked.vault_credentials[0] access = JobTemplateAccess(rando) jt_linked.project.read_role.members.add(rando) jt_linked.inventory.read_role.members.add(rando) ssh_cred.read_role.members.add(rando) proj_pk = jt_linked.project.pk assert not access.can_add(dict(inventory=jt_linked.inventory.pk, project=proj_pk)) assert not access.can_add(dict(credential=ssh_cred.pk, project=proj_pk)) assert not access.can_add(dict(vault_credential=vault_cred.pk, project=proj_pk)) for cred in jt_linked.credentials.all(): assert not access.can_unattach(jt_linked, cred, 'credentials', {})
def test_job_template_access_org_admin(jt_linked, rando): access = JobTemplateAccess(rando) # Appoint this user as admin of the organization jt_linked.inventory.organization.admin_role.members.add(rando) # Assign organization permission in the same way the create view does organization = jt_linked.inventory.organization jt_linked.get_deprecated_credential('ssh').admin_role.parents.add(organization.admin_role) proj_pk = jt_linked.project.pk assert access.can_add(dict(inventory=jt_linked.inventory.pk, project=proj_pk)) assert access.can_add(dict(credential=jt_linked.credential, project=proj_pk)) for cred in jt_linked.credentials.all(): assert access.can_unattach(jt_linked, cred, 'credentials', {}) assert access.can_read(jt_linked) assert access.can_delete(jt_linked)
def test_job_template_access_superuser(check_license, user, deploy_jobtemplate): # GIVEN a superuser u = user('admin', True) # WHEN access to a job template is checked access = JobTemplateAccess(u) # THEN all access checks should pass assert access.can_read(deploy_jobtemplate) assert access.can_add({})
def test_job_template_access_use_level(jt_linked, rando): access = JobTemplateAccess(rando) jt_linked.project.use_role.members.add(rando) jt_linked.inventory.use_role.members.add(rando) jt_linked.credential.use_role.members.add(rando) jt_linked.vault_credential.use_role.members.add(rando) proj_pk = jt_linked.project.pk assert access.can_add( dict(inventory=jt_linked.inventory.pk, project=proj_pk)) assert access.can_add( dict(credential=jt_linked.credential.pk, project=proj_pk)) assert access.can_add( dict(vault_credential=jt_linked.vault_credential.pk, project=proj_pk)) for cred in jt_linked.extra_credentials.all(): assert not access.can_unattach(jt_linked, cred, 'extra_credentials', {})
def test_project_use_access(project, rando): project.use_role.members.add(rando) access = JobTemplateAccess(rando) assert access.can_add(None) assert access.can_add({ 'project': project.id, 'ask_inventory_on_launch': True }) project2 = Project.objects.create( name='second-project', scm_type=project.scm_type, playbook_files=project.playbook_files, organization=project.organization, ) project2.use_role.members.add(rando) jt = JobTemplate.objects.create(project=project, ask_inventory_on_launch=True) jt.admin_role.members.add(rando) assert access.can_change(jt, {'project': project2.pk})
def test_jt_can_add_bad_data(user_unit): "Assure that no server errors are returned if we call JT can_add with bad data" access = JobTemplateAccess(user_unit) assert not access.can_add({'asdf': 'asdf'})