def test_job_template_access_use_level(jt_linked, rando): access = JobTemplateAccess(rando) jt_linked.project.use_role.members.add(rando) jt_linked.inventory.use_role.members.add(rando) jt_linked.organization.job_template_admin_role.members.add(rando) proj_pk = jt_linked.project.pk org_pk = jt_linked.organization_id assert access.can_change(jt_linked, { 'job_type': 'check', 'project': proj_pk }) assert access.can_change(jt_linked, { 'job_type': 'check', 'inventory': None }) for cred in jt_linked.credentials.all(): assert access.can_unattach(jt_linked, cred, 'credentials', {}) assert access.can_add( dict(inventory=jt_linked.inventory.pk, project=proj_pk, organization=org_pk)) assert access.can_add(dict(project=proj_pk, organization=org_pk))
def test_change_jt_sensitive_data(job_template_with_ids, mocker, user_unit): """Assure that can_add is called with all ForeignKeys.""" job_template_with_ids.admin_role = Role() data = {'inventory': job_template_with_ids.inventory.id + 1} access = JobTemplateAccess(user_unit) mock_add = mock.MagicMock(return_value=False) with mock.patch('awx.main.models.rbac.Role.__contains__', return_value=True): with mocker.patch('awx.main.access.JobTemplateAccess.can_add', mock_add): with mocker.patch('awx.main.access.JobTemplateAccess.can_read', return_value=True): assert not access.can_change(job_template_with_ids, data) mock_add.assert_called_once_with({ 'inventory': data['inventory'], 'project': job_template_with_ids.project.id })
def test_project_use_access(project, rando): project.use_role.members.add(rando) access = JobTemplateAccess(rando) assert access.can_add(None) assert access.can_add({ 'project': project.id, 'ask_inventory_on_launch': True }) project2 = Project.objects.create( name='second-project', scm_type=project.scm_type, playbook_files=project.playbook_files, organization=project.organization, ) project2.use_role.members.add(rando) jt = JobTemplate.objects.create(project=project, ask_inventory_on_launch=True) jt.admin_role.members.add(rando) assert access.can_change(jt, {'project': project2.pk})
def test_change_jt_sensitive_data(job_template_with_ids, mocker, user_unit): """Assure that can_add is called with all ForeignKeys.""" class RoleReturnsTrue(Role): class Meta: proxy = True def __contains__(self, accessor): return True job_template_with_ids.admin_role = RoleReturnsTrue() job_template_with_ids.organization.job_template_admin_role = RoleReturnsTrue( ) inv2 = Inventory() inv2.use_role = RoleReturnsTrue() data = {'inventory': inv2} access = JobTemplateAccess(user_unit) assert not access.changes_are_non_sensitive(job_template_with_ids, data) job_template_with_ids.inventory.use_role = RoleReturnsTrue() job_template_with_ids.project.use_role = RoleReturnsTrue() assert access.can_change(job_template_with_ids, data)
def test_delete_survey_access_without_license(job_template_with_survey, admin_user): """Assure that access.py allows deleting surveys after downgrading license.""" access = JobTemplateAccess(admin_user) assert access.can_change(job_template_with_survey, dict(survey_spec=None)) assert access.can_change(job_template_with_survey, dict(survey_spec={}))
def test_disable_survey_access_without_license(job_template_with_survey, admin_user): """Assure that user can disable a JT survey after downgrading license.""" access = JobTemplateAccess(admin_user) assert access.can_change(job_template_with_survey, dict(survey_enabled=False))