def test_org_resource_role(ext_auth, organization, rando, org_admin):
with mock.patch('awx.main.access.settings') as settings_mock:
settings_mock.MANAGE_ORGANIZATION_AUTH = ext_auth
access = OrganizationAccess(org_admin)
assert access.can_attach(organization, rando, 'member_role.members') == ext_auth
organization.member_role.members.add(rando)
assert access.can_unattach(organization, rando, 'member_role.members') == ext_auth
def test_ig_normal_user_associability(organization, default_instance_group,
user):
u = user('user', False)
access = OrganizationAccess(u)
assert not access.can_attach(organization, default_instance_group,
'instance_groups', None)
organization.instance_groups.add(default_instance_group)
organization.member_role.members.add(u)
assert not access.can_attach(organization, default_instance_group,
'instance_groups', None)
def test_organization_access_user(cl, organization, user):
access = OrganizationAccess(user('user', False))
organization.member_role.members.add(user('user', False))
assert not access.can_change(organization, None)
assert not access.can_delete(organization)
org = access.get_queryset()[0]
assert len(org.admin_role.members.all()) == 0
assert len(org.member_role.members.all()) == 1
def test_organization_access_admin(cl, organization, user):
'''can_change because I am an admin of that org'''
a = user('admin', False)
organization.admin_role.members.add(a)
organization.member_role.members.add(user('user', False))
access = OrganizationAccess(a)
assert access.can_change(organization, None)
assert access.can_delete(organization)
org = access.get_queryset()[0]
assert len(org.admin_role.members.all()) == 1
assert len(org.member_role.members.all()) == 1
def test_user_org_object_roles(organization, org_admin, org_member):
'''
Unlike admin & member roles, the special-purpose organization roles do not
confer any permissions related to user management,
Normal rules about role delegation should apply, only admin to org needed.
'''
assert RoleAccess(org_admin).can_attach(
organization.notification_admin_role, org_member, 'members', None)
assert OrganizationAccess(org_admin).can_attach(
organization, org_member, 'notification_admin_role.members', None)
assert not RoleAccess(org_member).can_attach(
organization.notification_admin_role, org_member, 'members', None)
assert not OrganizationAccess(org_member).can_attach(
organization, org_member, 'notification_admin_role.members', None)
def test_orphaned_user_allowed(org_admin, rando, organization):
'''
We still allow adoption of orphaned* users by assigning them to
organization member role, but only in the situation where the
org admin already posesses indirect access to all of the user's roles
*orphaned means user is not a member of any organization
'''
role_access = RoleAccess(org_admin)
org_access = OrganizationAccess(org_admin)
assert role_access.can_attach(organization.member_role, rando, 'members', None)
assert org_access.can_attach(organization, rando, 'member_role.members', None)
# Cannot edit the user directly without adding to org first
user_access = UserAccess(org_admin)
assert not user_access.can_change(rando, {'last_name': 'Witzel'})
def test_org_superuser_role_attach(admin_user, org_admin, organization):
'''
Ideally, you would not add superusers to roles (particularly member_role)
but it has historically been possible
this checks that the situation does not grant unexpected permissions
'''
organization.member_role.members.add(admin_user)
role_access = RoleAccess(org_admin)
org_access = OrganizationAccess(org_admin)
assert not role_access.can_attach(organization.member_role, admin_user, 'members', None)
assert not role_access.can_attach(organization.admin_role, admin_user, 'members', None)
assert not org_access.can_attach(organization, admin_user, 'member_role.members', None)
assert not org_access.can_attach(organization, admin_user, 'admin_role.members', None)
user_access = UserAccess(org_admin)
assert not user_access.can_change(admin_user, {'last_name': 'Witzel'})
def test_org_user_role_attach(user, organization, inventory):
'''
Org admins must not be able to add arbitrary users to their
organization, because that would give them admin permission to that user
'''
admin = user('admin')
nonmember = user('nonmember')
inventory.admin_role.members.add(nonmember)
organization.admin_role.members.add(admin)
role_access = RoleAccess(admin)
org_access = OrganizationAccess(admin)
assert not role_access.can_attach(organization.member_role, nonmember, 'members', None)
assert not role_access.can_attach(organization.admin_role, nonmember, 'members', None)
assert not org_access.can_attach(organization, nonmember, 'member_role.members', None)
assert not org_access.can_attach(organization, nonmember, 'admin_role.members', None)
def test_orphaned_user_allowed(org_admin, rando, organization, org_credential):
'''
We still allow adoption of orphaned* users by assigning them to
organization member role, but only in the situation where the
org admin already posesses indirect access to all of the user's roles
*orphaned means user is not a member of any organization
'''
# give a descendent role to rando, to trigger the conditional
# where all ancestor roles of rando should be in the set of
# org_admin roles.
org_credential.admin_role.members.add(rando)
role_access = RoleAccess(org_admin)
org_access = OrganizationAccess(org_admin)
assert role_access.can_attach(organization.member_role, rando, 'members',
None)
assert org_access.can_attach(organization, rando, 'member_role.members',
None)
# Cannot edit the user directly without adding to org first
user_access = UserAccess(org_admin)
assert not user_access.can_change(rando, {'last_name': 'Witzel'})
def test_need_all_orgs_to_admin_user(user):
'''
Old behavior - org admin to ANY organization that a user is member of
grants permission to admin that user
New behavior enforced here - org admin to ALL organizations that a
user is member of grants permission to admin that user
'''
org1 = Organization.objects.create(name='org1')
org2 = Organization.objects.create(name='org2')
org1_admin = user('org1-admin')
org1.admin_role.members.add(org1_admin)
org12_member = user('org12-member')
org1.member_role.members.add(org12_member)
org2.member_role.members.add(org12_member)
user_access = UserAccess(org1_admin)
assert not user_access.can_change(org12_member, {'last_name': 'Witzel'})
role_access = RoleAccess(org1_admin)
org_access = OrganizationAccess(org1_admin)
assert not role_access.can_attach(org1.admin_role, org12_member, 'members', None)
assert not role_access.can_attach(org1.member_role, org12_member, 'members', None)
assert not org_access.can_attach(org1, org12_member, 'admin_role.members')
assert not org_access.can_attach(org1, org12_member, 'member_role.members')
org2.admin_role.members.add(org1_admin)
assert role_access.can_attach(org1.admin_role, org12_member, 'members', None)
assert role_access.can_attach(org1.member_role, org12_member, 'members', None)
assert org_access.can_attach(org1, org12_member, 'admin_role.members')
assert org_access.can_attach(org1, org12_member, 'member_role.members')
def test_ig_associability(organization, default_instance_group, admin,
system_auditor, org_admin, org_member,
job_template_factory):
admin_access = OrganizationAccess(admin)
auditor_access = OrganizationAccess(system_auditor)
oadmin_access = OrganizationAccess(org_admin)
omember_access = OrganizationAccess(org_member)
assert admin_access.can_attach(organization, default_instance_group,
'instance_groups', None)
assert not oadmin_access.can_attach(organization, default_instance_group,
'instance_groups', None)
assert not auditor_access.can_attach(organization, default_instance_group,
'instance_groups', None)
assert not omember_access.can_attach(organization, default_instance_group,
'instance_groups', None)
organization.instance_groups.add(default_instance_group)
assert admin_access.can_unattach(organization, default_instance_group,
'instance_groups', None)
assert not oadmin_access.can_unattach(organization, default_instance_group,
'instance_groups', None)
assert not auditor_access.can_unattach(
organization, default_instance_group, 'instance_groups', None)
assert not omember_access.can_unattach(
organization, default_instance_group, 'instance_groups', None)
objects = job_template_factory('jt',
organization=organization,
project='p',
inventory='i',
credential='c')
admin_access = InventoryAccess(admin)
auditor_access = InventoryAccess(system_auditor)
oadmin_access = InventoryAccess(org_admin)
omember_access = InventoryAccess(org_member)
assert admin_access.can_attach(objects.inventory, default_instance_group,
'instance_groups', None)
assert oadmin_access.can_attach(objects.inventory, default_instance_group,
'instance_groups', None)
assert not auditor_access.can_attach(
objects.inventory, default_instance_group, 'instance_groups', None)
assert not omember_access.can_attach(
objects.inventory, default_instance_group, 'instance_groups', None)
admin_access = JobTemplateAccess(admin)
auditor_access = JobTemplateAccess(system_auditor)
oadmin_access = JobTemplateAccess(org_admin)
omember_access = JobTemplateAccess(org_member)
assert admin_access.can_attach(objects.job_template,
default_instance_group, 'instance_groups',
None)
assert oadmin_access.can_attach(objects.job_template,
default_instance_group, 'instance_groups',
None)
assert not auditor_access.can_attach(
objects.job_template, default_instance_group, 'instance_groups', None)
assert not omember_access.can_attach(
objects.job_template, default_instance_group, 'instance_groups', None)