def test_job_template_access_admin(role_names, jt_linked, rando):
ssh_cred = jt_linked.machine_credential
access = JobTemplateAccess(rando)
# Appoint this user as admin of the organization
#jt_linked.inventory.organization.admin_role.members.add(rando)
assert not access.can_read(jt_linked)
assert not access.can_delete(jt_linked)
for role_name in role_names:
role = getattr(jt_linked.inventory.organization, role_name)
role.members.add(rando)
# Assign organization permission in the same way the create view does
organization = jt_linked.inventory.organization
ssh_cred.admin_role.parents.add(organization.admin_role)
proj_pk = jt_linked.project.pk
assert access.can_add(
dict(inventory=jt_linked.inventory.pk, project=proj_pk))
assert access.can_add(dict(credential=ssh_cred.pk, project=proj_pk))
for cred in jt_linked.credentials.all():
assert access.can_unattach(jt_linked, cred, 'credentials', {})
assert access.can_read(jt_linked)
assert access.can_delete(jt_linked)
def test_job_template_access_use_level(jt_linked, rando):
access = JobTemplateAccess(rando)
jt_linked.project.use_role.members.add(rando)
jt_linked.inventory.use_role.members.add(rando)
jt_linked.organization.job_template_admin_role.members.add(rando)
proj_pk = jt_linked.project.pk
org_pk = jt_linked.organization_id
assert access.can_change(jt_linked, {
'job_type': 'check',
'project': proj_pk
})
assert access.can_change(jt_linked, {
'job_type': 'check',
'inventory': None
})
for cred in jt_linked.credentials.all():
assert access.can_unattach(jt_linked, cred, 'credentials', {})
assert access.can_add(
dict(inventory=jt_linked.inventory.pk,
project=proj_pk,
organization=org_pk))
assert access.can_add(dict(project=proj_pk, organization=org_pk))
def test_job_template_access_read_level(jt_linked, rando):
access = JobTemplateAccess(rando)
jt_linked.project.read_role.members.add(rando)
jt_linked.inventory.read_role.members.add(rando)
jt_linked.get_deprecated_credential('ssh').read_role.members.add(rando)
proj_pk = jt_linked.project.pk
assert not access.can_add(dict(inventory=jt_linked.inventory.pk, project=proj_pk))
assert not access.can_add(dict(credential=jt_linked.credential, project=proj_pk))
assert not access.can_add(dict(vault_credential=jt_linked.vault_credential, project=proj_pk))
for cred in jt_linked.credentials.all():
assert not access.can_unattach(jt_linked, cred, 'credentials', {})
def test_jt_add_scan_job_check(job_template_with_ids, user_unit):
"Assure that permissions to add scan jobs work correctly"
access = JobTemplateAccess(user_unit)
project = job_template_with_ids.project
inventory = job_template_with_ids.inventory
project.use_role = Role()
inventory.use_role = Role()
organization = Organization(name='test-org')
inventory.organization = organization
organization.admin_role = Role()
def mock_get_object(Class, **kwargs):
if Class == Project:
return project
elif Class == Inventory:
return inventory
else:
raise Exception('Item requested has not been mocked')
with mock.patch.object(JobTemplateAccess, 'check_license', return_value=None):
with mock.patch('awx.main.models.rbac.Role.__contains__', return_value=True):
with mock.patch('awx.main.access.get_object_or_400', mock_get_object):
assert access.can_add({
'project': project.pk,
'inventory': inventory.pk,
'job_type': 'scan'
})
def test_job_template_access_read_level(jt_linked, rando):
ssh_cred = jt_linked.machine_credential
vault_cred = jt_linked.vault_credentials[0]
access = JobTemplateAccess(rando)
jt_linked.project.read_role.members.add(rando)
jt_linked.inventory.read_role.members.add(rando)
ssh_cred.read_role.members.add(rando)
proj_pk = jt_linked.project.pk
assert not access.can_add(dict(inventory=jt_linked.inventory.pk, project=proj_pk))
assert not access.can_add(dict(credential=ssh_cred.pk, project=proj_pk))
assert not access.can_add(dict(vault_credential=vault_cred.pk, project=proj_pk))
for cred in jt_linked.credentials.all():
assert not access.can_unattach(jt_linked, cred, 'credentials', {})
def test_job_template_access_org_admin(jt_linked, rando):
access = JobTemplateAccess(rando)
# Appoint this user as admin of the organization
jt_linked.inventory.organization.admin_role.members.add(rando)
# Assign organization permission in the same way the create view does
organization = jt_linked.inventory.organization
jt_linked.get_deprecated_credential('ssh').admin_role.parents.add(organization.admin_role)
proj_pk = jt_linked.project.pk
assert access.can_add(dict(inventory=jt_linked.inventory.pk, project=proj_pk))
assert access.can_add(dict(credential=jt_linked.credential, project=proj_pk))
for cred in jt_linked.credentials.all():
assert access.can_unattach(jt_linked, cred, 'credentials', {})
assert access.can_read(jt_linked)
assert access.can_delete(jt_linked)
def test_job_template_access_superuser(check_license, user, deploy_jobtemplate):
# GIVEN a superuser
u = user('admin', True)
# WHEN access to a job template is checked
access = JobTemplateAccess(u)
# THEN all access checks should pass
assert access.can_read(deploy_jobtemplate)
assert access.can_add({})
def test_job_template_access_use_level(jt_linked, rando):
access = JobTemplateAccess(rando)
jt_linked.project.use_role.members.add(rando)
jt_linked.inventory.use_role.members.add(rando)
jt_linked.credential.use_role.members.add(rando)
jt_linked.vault_credential.use_role.members.add(rando)
proj_pk = jt_linked.project.pk
assert access.can_add(
dict(inventory=jt_linked.inventory.pk, project=proj_pk))
assert access.can_add(
dict(credential=jt_linked.credential.pk, project=proj_pk))
assert access.can_add(
dict(vault_credential=jt_linked.vault_credential.pk, project=proj_pk))
for cred in jt_linked.extra_credentials.all():
assert not access.can_unattach(jt_linked, cred, 'extra_credentials',
{})
def test_project_use_access(project, rando):
project.use_role.members.add(rando)
access = JobTemplateAccess(rando)
assert access.can_add(None)
assert access.can_add({
'project': project.id,
'ask_inventory_on_launch': True
})
project2 = Project.objects.create(
name='second-project',
scm_type=project.scm_type,
playbook_files=project.playbook_files,
organization=project.organization,
)
project2.use_role.members.add(rando)
jt = JobTemplate.objects.create(project=project,
ask_inventory_on_launch=True)
jt.admin_role.members.add(rando)
assert access.can_change(jt, {'project': project2.pk})
def test_jt_can_add_bad_data(user_unit):
"Assure that no server errors are returned if we call JT can_add with bad data"
access = JobTemplateAccess(user_unit)
assert not access.can_add({'asdf': 'asdf'})
