def test_jt_add_scan_job_check(job_template_with_ids, user_unit): "Assure that permissions to add scan jobs work correctly" access = JobTemplateAccess(user_unit) project = job_template_with_ids.project inventory = job_template_with_ids.inventory project.use_role = Role() inventory.use_role = Role() organization = Organization(name='test-org') inventory.organization = organization organization.admin_role = Role() def mock_get_object(Class, **kwargs): if Class == Project: return project elif Class == Inventory: return inventory else: raise Exception('Item requested has not been mocked') with mock.patch.object(JobTemplateAccess, 'check_license', return_value=None): with mock.patch('awx.main.models.rbac.Role.__contains__', return_value=True): with mock.patch('awx.main.access.get_object_or_400', mock_get_object): assert access.can_add({ 'project': project.pk, 'inventory': inventory.pk, 'job_type': 'scan' })
def mk_organization(name, description=None, persisted=True): description = description or '{}-description'.format(name) org = Organization(name=name, description=description) if persisted: mk_instance(persisted) org.save() return org
def mk_organization(name, description=None, persisted=True): description = description or '{}-description'.format(name) org = Organization(name=name, description=description) if persisted: instances = Instance.objects.all() if not instances: mk_instance(persisted) org.save() return org
def get(self, request, format=None): '''Return various sitewide configuration settings''' if request.user.is_superuser or request.user.is_system_auditor: license_data = get_license(show_key=True) else: license_data = get_license(show_key=False) if not license_data.get('valid_key', False): license_data = {} if license_data and 'features' in license_data and 'activity_streams' in license_data[ 'features']: # FIXME: Make the final setting value dependent on the feature? license_data['features'][ 'activity_streams'] &= settings.ACTIVITY_STREAM_ENABLED pendo_state = settings.PENDO_TRACKING_STATE if settings.PENDO_TRACKING_STATE in ( 'off', 'anonymous', 'detailed') else 'off' data = dict( time_zone=settings.TIME_ZONE, license_info=license_data, version=get_awx_version(), ansible_version=get_ansible_version(), eula=render_to_string("eula.md") if license_data.get('license_type', 'UNLICENSED') != 'open' else '', analytics_status=pendo_state, analytics_collectors=all_collectors(), become_methods=PRIVILEGE_ESCALATION_METHODS, ) # If LDAP is enabled, user_ldap_fields will return a list of field # names that are managed by LDAP and should be read-only for users with # a non-empty ldap_dn attribute. if getattr(settings, 'AUTH_LDAP_SERVER_URI', None): user_ldap_fields = ['username', 'password'] user_ldap_fields.extend( getattr(settings, 'AUTH_LDAP_USER_ATTR_MAP', {}).keys()) user_ldap_fields.extend( getattr(settings, 'AUTH_LDAP_USER_FLAGS_BY_GROUP', {}).keys()) data['user_ldap_fields'] = user_ldap_fields if request.user.is_superuser \ or request.user.is_system_auditor \ or Organization.accessible_objects(request.user, 'admin_role').exists() \ or Organization.accessible_objects(request.user, 'auditor_role').exists() \ or Organization.accessible_objects(request.user, 'project_admin_role').exists(): data.update( dict(project_base_dir=settings.PROJECTS_ROOT, project_local_paths=Project.get_local_path_choices(), custom_virtualenvs=get_custom_venv_choices())) elif JobTemplate.accessible_objects(request.user, 'admin_role').exists(): data['custom_virtualenvs'] = get_custom_venv_choices() return Response(data)
def test_accessible_objects(organization, alice, bob): A = Role.objects.create() A.members.add(alice) B = Role.objects.create() B.members.add(alice) B.members.add(bob) assert Organization.accessible_objects(alice, 'admin_role').count() == 0 assert Organization.accessible_objects(bob, 'admin_role').count() == 0 A.children.add(organization.admin_role) assert Organization.accessible_objects(alice, 'admin_role').count() == 1 assert Organization.accessible_objects(bob, 'admin_role').count() == 0
def test_workflow_can_add(self, workflow, user_unit): organization = Organization(name='test-org') workflow.organization = organization organization.admin_role = Role() def mock_get_object(Class, **kwargs): if Class == Organization: return organization else: raise Exception('Item requested has not been mocked') access = WorkflowJobTemplateAccess(user_unit) with mock.patch('awx.main.models.rbac.Role.__contains__', return_value=True): with mock.patch('awx.main.access.get_object_or_400', mock_get_object): assert access.can_add({'organization': 1})
def job_template_with_ids(job_template_factory): # Create non-persisted objects with IDs to send to job_template_factory ssh_type = CredentialType(kind='ssh') credential = Credential(id=1, pk=1, name='testcred', credential_type=ssh_type) net_type = CredentialType(kind='net') net_cred = Credential(id=2, pk=2, name='testnetcred', credential_type=net_type) cloud_type = CredentialType(kind='aws') cloud_cred = Credential(id=3, pk=3, name='testcloudcred', credential_type=cloud_type) inv = Inventory(id=11, pk=11, name='testinv') proj = Project(id=14, pk=14, name='testproj') jt_objects = job_template_factory('testJT', project=proj, inventory=inv, credential=credential, cloud_credential=cloud_cred, network_credential=net_cred, persisted=False) jt = jt_objects.job_template jt.organization = Organization(id=1, pk=1, name='fooOrg') return jt
def test_auto_inheritance_by_children(organization, alice): A = Role.objects.create() B = Role.objects.create() A.members.add(alice) assert alice not in organization.admin_role assert Organization.accessible_objects(alice, 'admin_role').count() == 0 A.children.add(B) assert alice not in organization.admin_role assert Organization.accessible_objects(alice, 'admin_role').count() == 0 A.children.add(organization.admin_role) assert alice in organization.admin_role assert Organization.accessible_objects(alice, 'admin_role').count() == 1 A.children.remove(organization.admin_role) assert alice not in organization.admin_role B.children.add(organization.admin_role) assert alice in organization.admin_role B.children.remove(organization.admin_role) assert alice not in organization.admin_role assert Organization.accessible_objects(alice, 'admin_role').count() == 0 # We've had the case where our pre/post save init handlers in our field descriptors # end up creating a ton of role objects because of various not-so-obvious issues assert Role.objects.count() < 50
def get_queryset(self): qs = Organization.accessible_objects(self.request.user, 'read_role') qs = qs.select_related('admin_role', 'auditor_role', 'member_role', 'read_role') qs = qs.prefetch_related('created_by', 'modified_by') return qs
def mock_organization(): return Organization(pk=4, name="Unsaved Org")
def organization(): o = Organization(name='unit-test-org') apply_fake_roles(o) return o