Exemple #1
0
def test_user_access_attach(rando, inventory):
    inventory.read_role.members.add(rando)
    user_access = UserAccess(rando)
    role_access = RoleAccess(rando)
    data = {'id': inventory.admin_role.pk}
    assert not user_access.can_attach(rando, inventory.admin_role, 'roles', data, False)
    assert not role_access.can_attach(inventory.admin_role, rando, 'members', data, False)
Exemple #2
0
def test_manage_org_auth_setting(ext_auth, superuser, expect, organization,
                                 rando, user, team):
    u = user('foo-user', is_superuser=superuser)
    if not superuser:
        organization.admin_role.members.add(u)

    with mock.patch('awx.main.access.settings') as settings_mock:
        settings_mock.MANAGE_ORGANIZATION_AUTH = ext_auth
        assert [
            # use via /api/v2/users/N/roles/
            UserAccess(u).can_attach(rando, organization.admin_role, 'roles'),
            UserAccess(u).can_attach(rando, team.admin_role, 'roles'),
            # use via /api/v2/roles/N/users/
            RoleAccess(u).can_attach(organization.admin_role, rando,
                                     'members'),
            RoleAccess(u).can_attach(team.admin_role, rando, 'members')
        ] == [expect for i in range(4)]
        assert [
            # use via /api/v2/users/N/roles/
            UserAccess(u).can_unattach(rando, organization.admin_role,
                                       'roles'),
            UserAccess(u).can_unattach(rando, team.admin_role, 'roles'),
            # use via /api/v2/roles/N/users/
            RoleAccess(u).can_unattach(organization.admin_role, rando,
                                       'members'),
            RoleAccess(u).can_unattach(team.admin_role, rando, 'members')
        ] == [expect for i in range(4)]
Exemple #3
0
def test_user_org_object_roles(organization, org_admin, org_member):
    '''
    Unlike admin & member roles, the special-purpose organization roles do not
    confer any permissions related to user management,
    Normal rules about role delegation should apply, only admin to org needed.
    '''
    assert RoleAccess(org_admin).can_attach(
        organization.notification_admin_role, org_member, 'members', None)
    assert not RoleAccess(org_member).can_attach(
        organization.notification_admin_role, org_member, 'members', None)
Exemple #4
0
def test_orphaned_user_allowed(org_admin, rando, organization):
    '''
    We still allow adoption of orphaned* users by assigning them to
    organization member role, but only in the situation where the
    org admin already posesses indirect access to all of the user's roles
    *orphaned means user is not a member of any organization
    '''
    role_access = RoleAccess(org_admin)
    assert role_access.can_attach(organization.member_role, rando, 'members', None)
    # Cannot edit the user directly without adding to org first
    user_access = UserAccess(org_admin)
    assert not user_access.can_change(rando, {'last_name': 'Witzel'})
Exemple #5
0
def test_team_access_attach(rando, team, inventory):
    # rando is admin of the team
    team.admin_role.members.add(rando)
    inventory.read_role.members.add(rando)
    # team has read_role for the inventory
    team.member_role.children.add(inventory.read_role)

    team_access = TeamAccess(rando)
    role_access = RoleAccess(rando)
    data = {'id': inventory.admin_role.pk}
    assert not team_access.can_attach(team, inventory.admin_role, 'member_role.children', data, False)
    assert not role_access.can_attach(inventory.admin_role, team, 'member_role.parents', data, False)
Exemple #6
0
def test_org_superuser_role_attach(admin_user, org_admin, organization):
    '''
    Ideally, you would not add superusers to roles (particularly member_role)
    but it has historically been possible
    this checks that the situation does not grant unexpected permissions
    '''
    organization.member_role.members.add(admin_user)

    role_access = RoleAccess(org_admin)
    assert not role_access.can_attach(organization.member_role, admin_user, 'members', None)
    assert not role_access.can_attach(organization.admin_role, admin_user, 'members', None)
    user_access = UserAccess(org_admin)
    assert not user_access.can_change(admin_user, {'last_name': 'Witzel'})
Exemple #7
0
def test_org_user_role_attach(user, organization, inventory):
    '''
    Org admins must not be able to add arbitrary users to their
    organization, because that would give them admin permission to that user
    '''
    admin = user('admin')
    nonmember = user('nonmember')
    inventory.admin_role.members.add(nonmember)

    organization.admin_role.members.add(admin)

    role_access = RoleAccess(admin)
    assert not role_access.can_attach(organization.member_role, nonmember, 'members', None)
    assert not role_access.can_attach(organization.admin_role, nonmember, 'members', None)
Exemple #8
0
def test_visible_roles(admin_user, system_auditor, rando, organization, project):
    '''
    system admin & system auditor fixtures needed to create system roles
    '''
    organization.auditor_role.members.add(rando)
    access = RoleAccess(rando)

    assert rando not in organization.admin_role
    assert access.can_read(organization.admin_role)
    assert organization.admin_role in Role.visible_roles(rando)

    assert rando not in project.admin_role
    assert access.can_read(project.admin_role)
    assert project.admin_role in Role.visible_roles(rando)
Exemple #9
0
def test_team_org_resource_role(ext_auth, organization, rando, org_admin, team):
    with mock.patch('awx.main.access.settings') as settings_mock:
        settings_mock.MANAGE_ORGANIZATION_AUTH = ext_auth
        assert [
            # use via /api/v2/teams/N/roles/
            TeamAccess(org_admin).can_attach(team, organization.workflow_admin_role, 'roles'),
            # use via /api/v2/roles/teams/
            RoleAccess(org_admin).can_attach(organization.workflow_admin_role, team, 'member_role.parents')
        ] == [True for i in range(2)]
        assert [
            # use via /api/v2/teams/N/roles/
            TeamAccess(org_admin).can_unattach(team, organization.workflow_admin_role, 'roles'),
            # use via /api/v2/roles/teams/
            RoleAccess(org_admin).can_unattach(organization.workflow_admin_role, team, 'member_role.parents')
        ] == [True for i in range(2)]
Exemple #10
0
def test_team_org_object_roles(organization, team, org_admin, org_member):
    '''
    the special-purpose organization roles are not ancestors of any
    team roles, and can be delegated en masse through teams,
    following normal admin rules
    '''
    assert RoleAccess(org_admin).can_attach(
        organization.notification_admin_role, team, 'member_role.parents',
        {'id': 68})
    # Obviously team admin isn't enough to assign organization roles to the team
    team.admin_role.members.add(org_member)
    assert not RoleAccess(org_member).can_attach(
        organization.notification_admin_role, team, 'member_role.parents',
        {'id': 68})
    # Cannot make a team member of an org
    assert not RoleAccess(org_admin).can_attach(
        organization.member_role, team, 'member_role.parents', {'id': 68})
Exemple #11
0
def test_orphaned_user_allowed(org_admin, rando, organization, org_credential):
    '''
    We still allow adoption of orphaned* users by assigning them to
    organization member role, but only in the situation where the
    org admin already posesses indirect access to all of the user's roles
    *orphaned means user is not a member of any organization
    '''
    # give a descendent role to rando, to trigger the conditional
    # where all ancestor roles of rando should be in the set of
    # org_admin roles.
    org_credential.admin_role.members.add(rando)
    role_access = RoleAccess(org_admin)
    org_access = OrganizationAccess(org_admin)
    assert role_access.can_attach(organization.member_role, rando, 'members',
                                  None)
    assert org_access.can_attach(organization, rando, 'member_role.members',
                                 None)
    # Cannot edit the user directly without adding to org first
    user_access = UserAccess(org_admin)
    assert not user_access.can_change(rando, {'last_name': 'Witzel'})
Exemple #12
0
def test_need_all_orgs_to_admin_user(user):
    '''
    Old behavior - org admin to ANY organization that a user is member of
        grants permission to admin that user
    New behavior enforced here - org admin to ALL organizations that a
        user is member of grants permission to admin that user
    '''
    org1 = Organization.objects.create(name='org1')
    org2 = Organization.objects.create(name='org2')

    org1_admin = user('org1-admin')
    org1.admin_role.members.add(org1_admin)

    org12_member = user('org12-member')
    org1.member_role.members.add(org12_member)
    org2.member_role.members.add(org12_member)

    user_access = UserAccess(org1_admin)
    assert not user_access.can_change(org12_member, {'last_name': 'Witzel'})

    role_access = RoleAccess(org1_admin)
    assert not role_access.can_attach(org1.admin_role, org12_member, 'members',
                                      None)
    assert not role_access.can_attach(org1.member_role, org12_member,
                                      'members', None)

    org2.admin_role.members.add(org1_admin)
    assert role_access.can_attach(org1.admin_role, org12_member, 'members',
                                  None)
    assert role_access.can_attach(org1.member_role, org12_member, 'members',
                                  None)
Exemple #13
0
def test_role_access_attach(rando, inventory):
    inventory.read_role.members.add(rando)
    access = RoleAccess(rando)
    assert not access.can_attach(inventory.admin_role, rando, 'members', None)