def test_jt_add_scan_job_check(job_template_with_ids, user_unit):
"Assure that permissions to add scan jobs work correctly"
access = JobTemplateAccess(user_unit)
project = job_template_with_ids.project
inventory = job_template_with_ids.inventory
project.use_role = Role()
inventory.use_role = Role()
organization = Organization(name='test-org')
inventory.organization = organization
organization.admin_role = Role()
def mock_get_object(Class, **kwargs):
if Class == Project:
return project
elif Class == Inventory:
return inventory
else:
raise Exception('Item requested has not been mocked')
with mock.patch.object(JobTemplateAccess, 'check_license', return_value=None):
with mock.patch('awx.main.models.rbac.Role.__contains__', return_value=True):
with mock.patch('awx.main.access.get_object_or_400', mock_get_object):
assert access.can_add({
'project': project.pk,
'inventory': inventory.pk,
'job_type': 'scan'
})
def mk_organization(name, description=None, persisted=True):
description = description or '{}-description'.format(name)
org = Organization(name=name, description=description)
if persisted:
mk_instance(persisted)
org.save()
return org
def mk_organization(name, description=None, persisted=True):
description = description or '{}-description'.format(name)
org = Organization(name=name, description=description)
if persisted:
instances = Instance.objects.all()
if not instances:
mk_instance(persisted)
org.save()
return org
def get(self, request, format=None):
'''Return various sitewide configuration settings'''
if request.user.is_superuser or request.user.is_system_auditor:
license_data = get_license(show_key=True)
else:
license_data = get_license(show_key=False)
if not license_data.get('valid_key', False):
license_data = {}
if license_data and 'features' in license_data and 'activity_streams' in license_data[
'features']:
# FIXME: Make the final setting value dependent on the feature?
license_data['features'][
'activity_streams'] &= settings.ACTIVITY_STREAM_ENABLED
pendo_state = settings.PENDO_TRACKING_STATE if settings.PENDO_TRACKING_STATE in (
'off', 'anonymous', 'detailed') else 'off'
data = dict(
time_zone=settings.TIME_ZONE,
license_info=license_data,
version=get_awx_version(),
ansible_version=get_ansible_version(),
eula=render_to_string("eula.md") if
license_data.get('license_type', 'UNLICENSED') != 'open' else '',
analytics_status=pendo_state,
analytics_collectors=all_collectors(),
become_methods=PRIVILEGE_ESCALATION_METHODS,
)
# If LDAP is enabled, user_ldap_fields will return a list of field
# names that are managed by LDAP and should be read-only for users with
# a non-empty ldap_dn attribute.
if getattr(settings, 'AUTH_LDAP_SERVER_URI', None):
user_ldap_fields = ['username', 'password']
user_ldap_fields.extend(
getattr(settings, 'AUTH_LDAP_USER_ATTR_MAP', {}).keys())
user_ldap_fields.extend(
getattr(settings, 'AUTH_LDAP_USER_FLAGS_BY_GROUP', {}).keys())
data['user_ldap_fields'] = user_ldap_fields
if request.user.is_superuser \
or request.user.is_system_auditor \
or Organization.accessible_objects(request.user, 'admin_role').exists() \
or Organization.accessible_objects(request.user, 'auditor_role').exists() \
or Organization.accessible_objects(request.user, 'project_admin_role').exists():
data.update(
dict(project_base_dir=settings.PROJECTS_ROOT,
project_local_paths=Project.get_local_path_choices(),
custom_virtualenvs=get_custom_venv_choices()))
elif JobTemplate.accessible_objects(request.user,
'admin_role').exists():
data['custom_virtualenvs'] = get_custom_venv_choices()
return Response(data)
def test_accessible_objects(organization, alice, bob):
A = Role.objects.create()
A.members.add(alice)
B = Role.objects.create()
B.members.add(alice)
B.members.add(bob)
assert Organization.accessible_objects(alice, 'admin_role').count() == 0
assert Organization.accessible_objects(bob, 'admin_role').count() == 0
A.children.add(organization.admin_role)
assert Organization.accessible_objects(alice, 'admin_role').count() == 1
assert Organization.accessible_objects(bob, 'admin_role').count() == 0
def test_workflow_can_add(self, workflow, user_unit):
organization = Organization(name='test-org')
workflow.organization = organization
organization.admin_role = Role()
def mock_get_object(Class, **kwargs):
if Class == Organization:
return organization
else:
raise Exception('Item requested has not been mocked')
access = WorkflowJobTemplateAccess(user_unit)
with mock.patch('awx.main.models.rbac.Role.__contains__', return_value=True):
with mock.patch('awx.main.access.get_object_or_400', mock_get_object):
assert access.can_add({'organization': 1})
def job_template_with_ids(job_template_factory):
# Create non-persisted objects with IDs to send to job_template_factory
ssh_type = CredentialType(kind='ssh')
credential = Credential(id=1,
pk=1,
name='testcred',
credential_type=ssh_type)
net_type = CredentialType(kind='net')
net_cred = Credential(id=2,
pk=2,
name='testnetcred',
credential_type=net_type)
cloud_type = CredentialType(kind='aws')
cloud_cred = Credential(id=3,
pk=3,
name='testcloudcred',
credential_type=cloud_type)
inv = Inventory(id=11, pk=11, name='testinv')
proj = Project(id=14, pk=14, name='testproj')
jt_objects = job_template_factory('testJT',
project=proj,
inventory=inv,
credential=credential,
cloud_credential=cloud_cred,
network_credential=net_cred,
persisted=False)
jt = jt_objects.job_template
jt.organization = Organization(id=1, pk=1, name='fooOrg')
return jt
def test_auto_inheritance_by_children(organization, alice):
A = Role.objects.create()
B = Role.objects.create()
A.members.add(alice)
assert alice not in organization.admin_role
assert Organization.accessible_objects(alice, 'admin_role').count() == 0
A.children.add(B)
assert alice not in organization.admin_role
assert Organization.accessible_objects(alice, 'admin_role').count() == 0
A.children.add(organization.admin_role)
assert alice in organization.admin_role
assert Organization.accessible_objects(alice, 'admin_role').count() == 1
A.children.remove(organization.admin_role)
assert alice not in organization.admin_role
B.children.add(organization.admin_role)
assert alice in organization.admin_role
B.children.remove(organization.admin_role)
assert alice not in organization.admin_role
assert Organization.accessible_objects(alice, 'admin_role').count() == 0
# We've had the case where our pre/post save init handlers in our field descriptors
# end up creating a ton of role objects because of various not-so-obvious issues
assert Role.objects.count() < 50
def get_queryset(self):
qs = Organization.accessible_objects(self.request.user, 'read_role')
qs = qs.select_related('admin_role', 'auditor_role', 'member_role',
'read_role')
qs = qs.prefetch_related('created_by', 'modified_by')
return qs
def mock_organization():
return Organization(pk=4, name="Unsaved Org")
def organization():
o = Organization(name='unit-test-org')
apply_fake_roles(o)
return o
